Commit e1b0666f authored by larowlan's avatar larowlan Committed by larowlan

Issue #3064351 by larowlan, matt_paz, tsug0d, greggles: Pin composer.json to...

Issue #3064351 by larowlan, matt_paz, tsug0d, greggles: Pin composer.json to prevent installation of insecure versions of enshrined/svg-sanitize
parent fe187649
......@@ -3,7 +3,7 @@
"description": "Makes the SVG Sanitizer library available to Drupal",
"type": "drupal-module",
"require": {
"enshrined/svg-sanitize": "^0.7.1"
"enshrined/svg-sanitize": "^0.12.0"
},
"license": "GPL2+"
}
<?php
namespace Drupal\Tests\svg_sanitizer\Kernel;
use Drupal\Core\Entity\Entity\EntityViewDisplay;
use Drupal\Core\Render\RenderContext;
use Drupal\Core\StreamWrapper\PublicStream;
use Drupal\Core\Url;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\field\Entity\FieldConfig;
use Drupal\field\Entity\FieldStorageConfig;
use Drupal\file\Entity\File;
use Drupal\KernelTests\KernelTestBase;
use enshrined\svgSanitize\data\AllowedAttributes;
use enshrined\svgSanitize\data\AllowedTags;
use Symfony\Component\DomCrawler\Crawler;
/**
* Defines a class for testing svg sanitizer output.
*
* @group svg_sanitizer
*/
class SvgSanitizerFormatterTest extends KernelTestBase {
/**
* The test field name.
*
* @var string
*/
protected $fieldName = 'field_test';
/**
* The entity type ID.
*
* @var string
*/
protected $entityTypeId = 'entity_test';
/**
* Modules to enable.
*
* @var array
*/
public static $modules = [
'user',
'system',
'field',
'text',
'entity_test',
'field_test',
'svg_sanitizer',
'file',
];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$this->installEntitySchema($this->entityTypeId);
$this->installEntitySchema('file');
$this->installSchema('file', ['file_usage']);
EntityViewDisplay::create([
'targetEntityType' => 'entity_test',
'bundle' => 'entity_test',
'mode' => 'default',
])->save();
FieldStorageConfig::create([
'field_name' => $this->fieldName,
'entity_type' => $this->entityTypeId,
'type' => 'file',
])->save();
FieldConfig::create([
'entity_type' => $this->entityTypeId,
'field_name' => $this->fieldName,
'bundle' => $this->entityTypeId,
])->save();
}
/**
* Get and prepare the output of a field.
*
* @param string $url
* The path to the file.
* @param array $settings
* An array of formatter settings.
*
* @return string
* The rendered prepared field output.
*/
protected function getPreparedFieldOutput($filepath, array $settings) {
$file_system = \Drupal::service('file_system');
$file_system->copy($filepath, PublicStream::basePath());
$file = File::create([
'uri' => 'public://' . basename($filepath),
]);
$file->save();
$entity = EntityTest::create();
$entity->{$this->fieldName} = $file;
$entity->save();
$field_output = $this->container->get('renderer')
->executeInRenderContext(new RenderContext(), function () use ($entity, $settings) {
return $entity->{$this->fieldName}->view($settings);
});
return $this->stripWhitespace((string) $field_output[0]['#markup']);
}
/**
* Remove HTML whitespace from a string.
*
* @param string $string
* The input string.
*
* @return string
* The whitespace cleaned string.
*/
protected function stripWhitespace($string) {
$no_whitespace = preg_replace('/\s{2,}/', '', $string);
$no_whitespace = str_replace("\n", '', $no_whitespace);
return $no_whitespace;
}
/**
* Tests formatter output.
*
* @param string $filepath
* Filepath to SVG file, relative to drupal root.
* @param array $settings
* Formatter settings.
* @param array $expect_removed
* Removed selectors.
* @param array $expect_present
* Present selectors.
*
* @dataProvider providerSanitizer
*/
public function testSanitizer($filepath, array $settings, array $expect_removed, array $expect_present) {
$output = $this->getPreparedFieldOutput(DRUPAL_ROOT . $filepath, $settings);
$crawler = new Crawler($output);
foreach ($expect_removed as $removed) {
$this->assertEquals(0, $crawler->filter(sprintf('default|svg default|%s', $removed))->count(), sprintf('%s was removed', $removed));
}
foreach ($expect_present as $present) {
$this->assertGreaterThan(0, $crawler->filter(sprintf('default|svg default|%s', $present))->count(), sprintf('%s was found', $present));
}
}
/**
* Data provider.
*
* @return array
* Test cases.
*/
public function providerSanitizer() {
return [
'defaults' => [
'/vendor/enshrined/svg-sanitize/tests/data/svgTestOne.svg',
[
'type' => 'svg_sanitizer',
'settings' => [
'allowedattrs' => '',
'allowedtags' => '',
],
],
[
'this',
'script',
'line[onload]',
],
[
'line[fill=none]',
'line[x1]',
],
],
'additional' => [
'/vendor/enshrined/svg-sanitize/tests/data/svgTestOne.svg',
[
'type' => 'svg_sanitizer',
'settings' => [
'allowedattrs' => '',
'allowedtags' => 'this',
],
],
[
'script',
'line[onload]',
],
[
'this',
'line[fill=none]',
'line[x1]',
],
],
];
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment