/', '', $html);
}
/**
* Test the elimination of some XSS vulnerabilities
*/
public function test_html_xss()
{
// #1488850
$html = 'Firefox '
. 'Internet Explorer '
. 'Firefox '
. 'Internet Explorer '
. 'CLICK ME '; // #6896
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertDoesNotMatchRegularExpression('/data:text/', $washed, 'Remove data:text/html links');
$this->assertDoesNotMatchRegularExpression('/vbscript:/', $washed, 'Remove vbscript: links');
$this->assertDoesNotMatchRegularExpression('/data:application/', $washed, 'Remove data:application links');
}
/**
* Test fixing of invalid href
*/
public function test_href()
{
$html = "Firefox Firefox ";
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression('|href="http://test\.com"|', $washed, 'Link href with newlines (#1488940)');
$this->assertMatchesRegularExpression('|href="http://domain\.com"|', $washed, 'Link href with no protocol (#7454)');
}
/**
* Test data:image with newlines (#8613)
*/
public function test_data_image_with_newline()
{
$html = "
";
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertSame("
", $this->cleanupResult($washed));
}
/**
* Test XSS in area's href (#5240)
*/
public function test_href_area()
{
$html = '
'
. '
'
. '\n
\n"
. "This alternative text should survive
'
. " \n
/', $washed, 'Keep embedded tags');
}
/**
* Test handling HTML comments
*/
public function test_comments()
{
$washer = new \rcube_washtml();
$html = '
p2
';
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame('p2
', $washed, 'HTML conditional comments (#1489004)');
$html = 'para2
';
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame('para1
para2
', $washed, 'HTML comments - simple comment');
$html = 'para1
para2
';
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame('para1
para2
', $washed, 'HTML comments - tags inside (#1489904)');
$html = 'para1
para2
';
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame('para1
para2
', $washed, 'HTML comments - bracket inside');
$html = "\n2 \n4
";
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame("\n2 \n4
", $washed, 'HTML comments (#6464)');
}
/**
* Test fixing of invalid self-closing elements (#1489137)
*/
public function test_self_closing()
{
$html = '|', $washed);
}
/**
* Test fixing of invalid closing tags (#1489446)
*/
public function test_closing_tag_attrs()
{
$html = 'test ';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression('||', $washed);
}
/**
* Test fixing of invalid lists nesting (#1488768)
*/
public function test_lists()
{
$data = [
[
'First Second Third First Second Third First First FirstFirst sub FirstFirst sub a
';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression('|color: rgb\(241, 245, 218\)|', $washed, 'Color style (#1489697)');
$this->assertMatchesRegularExpression('|font-size: 10px|', $washed, 'Font-size style');
}
/**
* Test handling of unicode chars in style (#1489777)
*/
public function test_style_unicode()
{
$html = "test ";
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression(
'|style="font-family: \"新細明體\",\"serif\"; color: red"|',
$washed,
'Unicode chars in style attribute - quoted (#1489697)'
);
$html = "test ";
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression(
'|style="font-family: 新細明體; color: red"|',
$washed,
'Unicode chars in style attribute (#1489697)'
);
}
/**
* Test deprecated body attributes (#7109)
*/
public function test_style_body_attrs()
{
$html = 'a
';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertMatchesRegularExpression('|line-height: 1;|', $washed, 'Untouched line-height (#1489917)');
$this->assertMatchesRegularExpression('|; height: 10px|', $washed, 'Fixed height units');
$html = "
";
$expected = '
';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertSame($this->cleanupResult($washed), $expected, 'White-space and new-line characters handling');
}
/**
* Test invalid style cleanup - XSS prevention (#1490227)
*/
public function test_style_wash_xss()
{
$html = "title1 test
';
$washed = $washer->wash($html);
$this->assertSame('test
', $this->cleanupResult($washed));
$html = 'title1<img />title2 test
';
$washed = $washer->wash($html);
$this->assertSame('test
', $this->cleanupResult($washed));
}
/**
* Test SVG cleanup
*/
public function test_wash_svg()
{
$svg = '
An example text
';
$exp = '
410
An example text
';
$washer = new \rcube_washtml();
$washed = $washer->wash($svg);
$this->assertSame($washed, $exp, 'SVG content');
}
/**
* Test SVG cleanup
*
* @dataProvider provide_wash_svg_tests_cases
*/
#[DataProvider('provide_wash_svg_tests_cases')]
public function test_wash_svg_tests($input, $expected)
{
$washer = new \rcube_washtml();
$washed = $washer->wash($input);
$this->assertSame($expected, $this->cleanupResult($washed), 'SVG content');
}
/**
* Test cases for SVG tests
*/
public static function provide_wash_svg_tests_cases(): iterable
{
$svg1 = "Hello victim!
',
'Hello victim!
',
],
[
'Hello victim!
',
'Hello victim!
',
],
[
'XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS test ',
'test ',
],
[
'blah ',
'blah ',
],
[
'XSS ',
'XSS ',
],
[
'XSS ',
'XSS ',
],
[
'XSS ',
'XSS ',
],
[
'',
'',
],
[
'clickme clickme clickme clickme clickme clickme clickme clickme
I D =
1 2 k n W L (
V G S - V t
) 2
I_D = \frac{1}{2} k_n \frac{W}{L} (V_{GS}-V_t)^2
I D =
1 2 k n W L (
V G S - V t
) 2
I_D = \frac{1}{2} k_n \frac{W}{L} (V_{GS}-V_t)^2
';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertTrue($washer->extlinks);
$this->assertStringNotContainsString('TRACKING', $washed, 'Src attribute of tag (#5583)');
}
/**
* Test external links
*/
public function test_extlinks()
{
$html = [
['
', true],
];
foreach ($html as $item) {
$washer = new \rcube_washtml();
$washed = $washer->wash($item[0]);
$this->assertSame($item[1], $washer->extlinks);
}
foreach ($html as $item) {
$washer = new \rcube_washtml(['allow_remote' => true]);
$washed = $washer->wash($item[0]);
$this->assertFalse($washer->extlinks);
}
}
public function test_textarea_content_escaping()
{
$html = ''
. 'test '
. 'link '
. '
';
$washed = $washer->wash($html);
$this->assertStringContainsString('id="testmy-id"', $washed);
$this->assertStringContainsString('for="testmy-other-id"', $washed);
$this->assertStringContainsString('href="#testmy-id"', $washed);
$this->assertStringContainsString('class="testmy-class1 testmy-class2"', $washed);
// Make sure the anchor name is prefixed too
$html = 'test link
test anchor ';
$washed = $washer->wash($html);
$this->assertStringContainsString('href="#testa"', $washed);
$this->assertStringContainsString('name="testa"', $washed);
}
/**
* Test removing xml tag
*/
public function test_xml_tag()
{
$html = '
';
$washer = new \rcube_washtml();
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame($washed, '
');
$html = 'HTML';
$washer = new \rcube_washtml();
$washed = $this->cleanupResult($washer->wash($html));
$this->assertSame($washed, 'HTML');
}
/**
* Test missing main HTML hierarchy tags (#6713)
*/
public function test_missing_tags()
{
$washer = new \rcube_washtml();
$html = 'First linealert(document.cookie)]]>
';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertTrue(strpos($washed, '