[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Escaping formatting functions.
   5   * Note: tests about escaping and sanitizing URLs are in urls.php
   6   *
   7   * @group formatting
   8   * @since 0.1
   9   */
  10  class Format_Esc extends PHPUnit\Framework\TestCase {
  11  
  12      /**
  13       * Attributes and how they should be escaped
  14       */
  15      function html_attributes() {
  16          return array(
  17              array(
  18                  '"double quotes"',
  19                  '&quot;double quotes&quot;',
  20              ),
  21              array(
  22                  "'single quotes'",
  23                  '&#039;single quotes&#039;',
  24              ),
  25              array(
  26                  "'mixed' " . '"quotes"',
  27                  '&#039;mixed&#039; &quot;quotes&quot;',
  28              ),
  29              array(
  30                  'foo & bar &baz; &apos;',
  31                  'foo &amp; bar &amp;baz; &apos;',
  32              ),
  33          );
  34      }
  35  
  36  
  37      /**
  38       * Attribute escaping
  39       *
  40       * @dataProvider html_attributes
  41       * @since 0.1
  42       */
  43  	function test_esc_attr( $attr, $escaped ) {
  44          $this->assertSame( $escaped, yourls_esc_attr( $attr ) );
  45      }
  46  
  47      /**
  48       * Attribute escaping -- escaping twice shouldn't change
  49       *
  50       * @dataProvider html_attributes
  51       * @since 0.1
  52       */
  53  	function test_esc_attr_twice( $attr, $escaped ) {
  54          $this->assertSame( $escaped, yourls_esc_attr( yourls_esc_attr( $attr ) ) );
  55      }
  56  
  57      /**
  58       * HTML string and how they should be escaped
  59       */
  60      function html_strings() {
  61          return array(
  62              // Simple string
  63              array(
  64                  'The quick brown fox.',
  65                  'The quick brown fox.',
  66              ),
  67              // URL with &
  68              array(
  69                  'https://127.0.0.1/admin/admin-ajax.php?id=y1120844669&action=edit&keyword=1a&nonce=bf3115ac3a',
  70                  'https://127.0.0.1/admin/admin-ajax.php?id=y1120844669&amp;action=edit&amp;keyword=1a&amp;nonce=bf3115ac3a',
  71              ),
  72              // More ampersands
  73              array(
  74                  'H&M and Dungeons & Dragons',
  75                  'H&amp;M and Dungeons &amp; Dragons',
  76              ),
  77              // Simple quotes
  78              array(
  79                  "SELECT stuff FROM table WHERE blah IN ('omg', 'wtf') AND foo = 1",
  80                  'SELECT stuff FROM table WHERE blah IN (&#039;omg&#039;, &#039;wtf&#039;) AND foo = 1',
  81              ),
  82              // Double quotes
  83              array(
  84                  'I am "special"',
  85                  'I am &quot;special&quot;',
  86              ),
  87              // Greater and less than
  88              array(
  89                  'this > that < that <randomhtml />',
  90                  'this &gt; that &lt; that &lt;randomhtml /&gt;',
  91              ),
  92              // Ignore actual entities
  93              array(
  94                  '&#038; &#x00A3; &#x22; &amp;',
  95                  '&amp; &#xA3; &quot; &amp;',
  96              ),
  97              // Empty string
  98              array(
  99                  '',
 100                  '',
 101              ),
 102          );
 103      }
 104  
 105      /**
 106       * HTML escaping
 107       *
 108       * @dataProvider html_strings
 109       * @since 0.1
 110       */
 111  	function test_esc_html( $html, $escaped ) {
 112          $this->assertSame( $escaped, yourls_esc_html( $html ) );
 113      }
 114  
 115      /**
 116       * String to escape and what they should look like once escaped
 117       */
 118      public function strings_to_escape() {
 119          return array(
 120             array( "I'm rock n' rollin'", "I\'m rock n\' rollin\'" ),
 121             array( 'I am "nice"', 'I am \"nice\"' ),
 122             array( 'Back\Slash', 'Back\\\Slash' ),
 123             array( "NULL\0NULL", 'NULL\0NULL' ), // notice the quote change
 124          );
 125      }
 126  
 127      /**
 128       * List of URLs and how they should be escaped
 129       */
 130      function list_of_URLs() {
 131          return array(
 132              array(
 133                  'http://example.com/?this=that&that=this',
 134                  'http://example.com/?this=that&#038;that=this',
 135              ),
 136              array(
 137                  'http://example.com/?this=that&that="this"',
 138                  'http://example.com/?this=that&#038;that=this',
 139              ),
 140              array(
 141                  "http://example.com/?this=that&that='this'",
 142                  'http://example.com/?this=that&#038;that=&#039;this&#039;',
 143              ),
 144              array(
 145                  "http://example.com/?this=that&that=<this>",
 146                  'http://example.com/?this=that&#038;that=this',
 147              ),
 148          );
 149      }
 150  
 151      /**
 152       * Escape URLs for display
 153       *
 154       * @since 0.1
 155       * @group url
 156       * @dataProvider list_of_URLs
 157       */
 158      function test_esc_urls( $url, $escaped ) {
 159          $this->assertEquals( $escaped, yourls_esc_url( $url ) );
 160      }
 161  
 162      /**
 163       * Some strings and how they should be escaped in javascript
 164       */
 165      function list_of_JS() {
 166          return array(
 167              array(
 168                  'hello world();',
 169                  'hello world();',
 170              ),
 171              array(
 172                  'hello("world");',
 173                  'hello(&quot;world&quot;);',
 174              ),
 175              array(
 176                  'foo & bar &baz; &apos;',
 177                  'foo &amp; bar &amp;baz; &apos;',
 178              ),
 179          );
 180      }
 181  
 182      /**
 183       * Escape JS
 184       *
 185       * @since 0.1
 186       * @dataProvider list_of_JS
 187       */
 188      function test_esc_js( $js, $escaped ) {
 189          $this->assertEquals( $escaped, yourls_esc_js( $js ) );
 190      }
 191  
 192      /**
 193       * Strings in a textarea and how they should be escaped
 194       */
 195      function list_of_textarea() {
 196          return array(
 197              array(
 198                  'hello<br/>world',
 199                  'hello&lt;br/&gt;world',
 200              ),
 201              array(
 202                  '"omg"',
 203                  '&quot;omg&quot;',
 204              ),
 205              array(
 206                  "'omg'",
 207                  '&#039;omg&#039;',
 208              ),
 209          );
 210      }
 211  
 212      /**
 213       * Escape JS
 214       *
 215       * @since 0.1
 216       * @dataProvider list_of_textarea
 217       */
 218      function test_esc_textarea( $text, $escaped ) {
 219          $this->assertEquals( $escaped, yourls_esc_textarea( $text ) );
 220      }
 221  
 222  }