You are here

public function SafeMarkupTest::providerFormat in Drupal 8

Data provider for testFormat().

See also

testFormat()

File

core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php, line 145
Contains \Drupal\Tests\Component\Utility\SafeMarkupTest.

Class

SafeMarkupTest
Tests marking strings as safe.

Namespace

Drupal\Tests\Component\Utility

Code

public function providerFormat() {
  $tests[] = [
    'Simple text',
    [],
    'Simple text',
    'SafeMarkup::format leaves simple text alone.',
    TRUE,
  ];
  $tests[] = [
    'Escaped text: @value',
    [
      '@value' => '<script>',
    ],
    'Escaped text: &lt;script&gt;',
    'SafeMarkup::format replaces and escapes string.',
    TRUE,
  ];
  $tests[] = [
    'Escaped text: @value',
    [
      '@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>'),
    ],
    'Escaped text: <span>Safe HTML</span>',
    'SafeMarkup::format does not escape an already safe string.',
    TRUE,
  ];
  $tests[] = [
    'Placeholder text: %value',
    [
      '%value' => '<script>',
    ],
    'Placeholder text: <em class="placeholder">&lt;script&gt;</em>',
    'SafeMarkup::format replaces, escapes and themes string.',
    TRUE,
  ];
  $tests[] = [
    'Placeholder text: %value',
    [
      '%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>'),
    ],
    'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>',
    'SafeMarkup::format does not escape an already safe string themed as a placeholder.',
    TRUE,
  ];
  $tests['javascript-protocol-url'] = [
    'Simple text <a href=":url">giraffe</a>',
    [
      ':url' => 'javascript://example.com?foo&bar',
    ],
    'Simple text <a href="//example.com?foo&amp;bar">giraffe</a>',
    'Support for filtering bad protocols',
    TRUE,
  ];
  $tests['external-url'] = [
    'Simple text <a href=":url">giraffe</a>',
    [
      ':url' => 'http://example.com?foo&bar',
    ],
    'Simple text <a href="http://example.com?foo&amp;bar">giraffe</a>',
    'Support for filtering bad protocols',
    TRUE,
  ];
  $tests['relative-url'] = [
    'Simple text <a href=":url">giraffe</a>',
    [
      ':url' => '/node/1?foo&bar',
    ],
    'Simple text <a href="/node/1?foo&amp;bar">giraffe</a>',
    'Support for filtering bad protocols',
    TRUE,
  ];
  $tests['fragment-with-special-chars'] = [
    'Simple text <a href=":url">giraffe</a>',
    [
      ':url' => 'http://example.com/#&lt;',
    ],
    'Simple text <a href="http://example.com/#&amp;lt;">giraffe</a>',
    'Support for filtering bad protocols',
    TRUE,
  ];
  $tests['mailto-protocol'] = [
    'Hey giraffe <a href=":url">MUUUH</a>',
    [
      ':url' => 'mailto:test@example.com',
    ],
    'Hey giraffe <a href="mailto:test@example.com">MUUUH</a>',
    '',
    TRUE,
  ];
  $tests['js-with-fromCharCode'] = [
    'Hey giraffe <a href=":url">MUUUH</a>',
    [
      ':url' => "javascript:alert(String.fromCharCode(88,83,83))",
    ],
    'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>',
    '',
    TRUE,
  ];

  // Test some "URL" values that are not RFC 3986 compliant URLs. The result
  // of SafeMarkup::format() should still be valid HTML (other than the
  // value of the "href" attribute not being a valid URL), and not
  // vulnerable to XSS.
  $tests['non-url-with-colon'] = [
    'Hey giraffe <a href=":url">MUUUH</a>',
    [
      ':url' => "llamas: they are not URLs",
    ],
    'Hey giraffe <a href=" they are not URLs">MUUUH</a>',
    '',
    TRUE,
  ];
  $tests['non-url-with-html'] = [
    'Hey giraffe <a href=":url">MUUUH</a>',
    [
      ':url' => "<span>not a url</span>",
    ],
    'Hey giraffe <a href="&lt;span&gt;not a url&lt;/span&gt;">MUUUH</a>',
    '',
    TRUE,
  ];

  // Tests non-standard placeholders that will not replace.
  $tests['non-standard-placeholder'] = [
    'Hey hey',
    [
      'risky' => "<script>alert('foo');</script>",
    ],
    'Hey hey',
    '',
    TRUE,
  ];
  return $tests;
}