5 * Contains \Drupal\Tests\Component\Utility\SafeMarkupTest.
8 namespace Drupal\Tests\Component\Utility;
10 use Drupal\Component\Render\HtmlEscapedText;
11 use Drupal\Component\Utility\SafeMarkup;
12 use Drupal\Component\Render\MarkupInterface;
13 use Drupal\Component\Render\MarkupTrait;
14 use Drupal\Component\Utility\UrlHelper;
15 use Drupal\Tests\UnitTestCase;
18 * Tests marking strings as safe.
21 * @coversDefaultClass \Drupal\Component\Utility\SafeMarkup
23 class SafeMarkupTest extends UnitTestCase {
28 protected function tearDown() {
31 UrlHelper::setAllowedProtocols(['http', 'https']);
35 * Tests SafeMarkup::isSafe() with different objects.
39 public function testIsSafe() {
40 $safe_string = $this->getMock('\Drupal\Component\Render\MarkupInterface');
41 $this->assertTrue(SafeMarkup::isSafe($safe_string));
42 $string_object = new SafeMarkupTestString('test');
43 $this->assertFalse(SafeMarkup::isSafe($string_object));
47 * Tests SafeMarkup::checkPlain().
49 * @dataProvider providerCheckPlain
50 * @covers ::checkPlain
53 * The text to provide to SafeMarkup::checkPlain().
54 * @param string $expected
55 * The expected output from the function.
56 * @param string $message
57 * The message to provide as output for the test.
59 public function testCheckPlain($text, $expected, $message) {
60 $result = SafeMarkup::checkPlain($text);
61 $this->assertTrue($result instanceof HtmlEscapedText);
62 $this->assertEquals($expected, $result, $message);
66 * Tests Drupal\Component\Render\HtmlEscapedText.
68 * Verifies that the result of SafeMarkup::checkPlain() is the same as using
69 * HtmlEscapedText directly.
71 * @dataProvider providerCheckPlain
74 * The text to provide to the HtmlEscapedText constructor.
75 * @param string $expected
76 * The expected output from the function.
77 * @param string $message
78 * The message to provide as output for the test.
80 public function testHtmlEscapedText($text, $expected, $message) {
81 $result = new HtmlEscapedText($text);
82 $this->assertEquals($expected, $result, $message);
86 * Data provider for testCheckPlain() and testEscapeString().
88 * @see testCheckPlain()
90 public function providerCheckPlain() {
91 // Checks that invalid multi-byte sequences are escaped.
92 $tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"'];
93 $tests[] = ["\xc2\"", '�"', 'Escapes invalid sequence "\xc2\""'];
94 $tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"'];
96 // Checks that special characters are escaped.
97 $tests[] = [SafeMarkupTestMarkup::create("<script>"), '<script>', 'Escapes <script> even inside an object that implements MarkupInterface.'];
98 $tests[] = ["<script>", '<script>', 'Escapes <script>'];
99 $tests[] = ['<>&"\'', '<>&"'', 'Escapes reserved HTML characters.'];
100 $tests[] = [SafeMarkupTestMarkup::create('<>&"\''), '<>&"'', 'Escapes reserved HTML characters even inside an object that implements MarkupInterface.'];
106 * Tests string formatting with SafeMarkup::format().
108 * @dataProvider providerFormat
111 * @param string $string
112 * The string to run through SafeMarkup::format().
113 * @param string[] $args
114 * The arguments to pass into SafeMarkup::format().
115 * @param string $expected
116 * The expected result from calling the function.
117 * @param string $message
118 * The message to display as output to the test.
119 * @param bool $expected_is_safe
120 * Whether the result is expected to be safe for HTML display.
122 public function testFormat($string, array $args, $expected, $message, $expected_is_safe) {
123 UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
125 $result = SafeMarkup::format($string, $args);
126 $this->assertEquals($expected, (string) $result, $message);
127 $this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
129 foreach ($args as $arg) {
130 $this->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg));
135 * Data provider for testFormat().
139 public function providerFormat() {
140 $tests[] = ['Simple text', [], 'Simple text', 'SafeMarkup::format leaves simple text alone.', TRUE];
141 $tests[] = ['Escaped text: @value', ['@value' => '<script>'], 'Escaped text: <script>', 'SafeMarkup::format replaces and escapes string.', TRUE];
142 $tests[] = ['Escaped text: @value', ['@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Escaped text: <span>Safe HTML</span>', 'SafeMarkup::format does not escape an already safe string.', TRUE];
143 $tests[] = ['Placeholder text: %value', ['%value' => '<script>'], 'Placeholder text: <em class="placeholder"><script></em>', 'SafeMarkup::format replaces, escapes and themes string.', TRUE];
144 $tests[] = ['Placeholder text: %value', ['%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>', 'SafeMarkup::format does not escape an already safe string themed as a placeholder.', TRUE];
146 $tests['javascript-protocol-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'javascript://example.com?foo&bar'], 'Simple text <a href="//example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
147 $tests['external-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com?foo&bar'], 'Simple text <a href="http://example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
148 $tests['relative-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => '/node/1?foo&bar'], 'Simple text <a href="/node/1?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
149 $tests['fragment-with-special-chars'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com/#<'], 'Simple text <a href="http://example.com/#&lt;">giraffe</a>', 'Support for filtering bad protocols', TRUE];
150 $tests['mailto-protocol'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => 'mailto:test@example.com'], 'Hey giraffe <a href="mailto:test@example.com">MUUUH</a>', '', TRUE];
151 $tests['js-with-fromCharCode'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "javascript:alert(String.fromCharCode(88,83,83))"], 'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>', '', TRUE];
153 // Test some "URL" values that are not RFC 3986 compliant URLs. The result
154 // of SafeMarkup::format() should still be valid HTML (other than the
155 // value of the "href" attribute not being a valid URL), and not
156 // vulnerable to XSS.
157 $tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE];
158 $tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="<span>not a url</span>">MUUUH</a>', '', TRUE];
160 // Tests non-standard placeholders that will not replace.
161 $tests['non-standard-placeholder'] = ['Hey hey', ['risky' => "<script>alert('foo');</script>"], 'Hey hey', '', TRUE];
167 class SafeMarkupTestString {
171 public function __construct($string) {
172 $this->string = $string;
175 public function __toString() {
176 return $this->string;
182 * Marks an object's __toString() method as returning markup.
184 class SafeMarkupTestMarkup implements MarkupInterface {