function FilterUnitTest::testHtmlFilter in Zircon Profile 8.0
Same name and namespace in other branches
- 8 core/modules/filter/src/Tests/FilterUnitTest.php \Drupal\filter\Tests\FilterUnitTest::testHtmlFilter()
Tests filter settings, defaults, access restrictions and similar.
@todo This is for functions like filter_filter and check_markup, whose functionality is not completely focused on filtering. Some ideas: restricting formats according to user permissions, proper cache handling, defaults -- allowed tags/attributes/protocols.
@todo It is possible to add script, iframe etc. to allowed tags, but this makes HTML filter completely ineffective.
@todo Class, id, name and xmlns should be added to disallowed attributes, or better a whitelist approach should be used for that too.
File
- core/
modules/ filter/ src/ Tests/ FilterUnitTest.php, line 411 - Contains \Drupal\filter\Tests\FilterUnitTest.
Class
- FilterUnitTest
- Tests Filter module filters individually.
Namespace
Drupal\filter\TestsCode
function testHtmlFilter() {
// Get FilterHtml object.
$filter = $this->filters['filter_html'];
$filter
->setConfiguration(array(
'settings' => array(
'allowed_html' => '<a> <p> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
),
));
// HTML filter is not able to secure some tags, these should never be
// allowed.
$f = (string) $filter
->process('<script />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove script tags.');
$f = (string) $filter
->process('<iframe />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove iframe tags.');
$f = (string) $filter
->process('<object />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove object tags.');
$f = (string) $filter
->process('<style />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove style tags.');
// Some tags make CSRF attacks easier, let the user take the risk herself.
$f = (string) $filter
->process('<img />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove img tags by default.');
$f = (string) $filter
->process('<input />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '', 'HTML filter should remove input tags by default.');
// Filtering content of some attributes is infeasible, these shouldn't be
// allowed too.
$f = (string) $filter
->process('<p style="display: none;" />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNoNormalized($f, 'style', 'HTML filter should remove style attributes.');
$this
->assertIdentical($f, '<p></p>');
$f = (string) $filter
->process('<p onerror="alert(0);"></p>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNoNormalized($f, 'onerror', 'HTML filter should remove on* attributes.');
$this
->assertIdentical($f, '<p></p>');
$f = (string) $filter
->process('<code onerror> </code>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes.');
// Note - this string has a decoded character.
$this
->assertIdentical($f, '<code> </code>');
$f = (string) $filter
->process('<br>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNormalized($f, '<br />', 'HTML filter should allow line breaks.');
$f = (string) $filter
->process('<br />', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNormalized($f, '<br />', 'HTML filter should allow self-closing line breaks.');
// All attributes of whitelisted tags are stripped by default.
$f = (string) $filter
->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNormalized($f, '<a>link</a>', 'HTML filter should remove attributes that are not explicitly allowed.');
// Now whitelist the "llama" attribute on <a>.
$filter
->setConfiguration(array(
'settings' => array(
'allowed_html' => '<a href llama> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
),
));
$f = (string) $filter
->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNormalized($f, '<a llama="awesome">link</a>', 'HTML filter keeps explicitly allowed attributes, and removes attributes that are not explicitly allowed.');
// Restrict the whitelisted "llama" attribute on <a> to only allow the value
// "majestical", or "epic".
$filter
->setConfiguration(array(
'settings' => array(
'allowed_html' => '<a href llama="majestical epic"> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
),
));
$f = (string) $filter
->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '<a>link</a>', 'HTML filter removes allowed attributes that do not have an explicitly allowed value.');
$f = (string) $filter
->process('<a kitten="cute" llama="majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '<a llama="majestical">link</a>', 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
$f = (string) $filter
->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');
$f = (string) $filter
->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this
->assertIdentical($f, '<a href="/beautiful-animals" llama="epic majestical">link</a>', 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
}