You are here

class SafeMarkupTest in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php \Drupal\Tests\Component\Utility\SafeMarkupTest

Tests marking strings as safe.

@group Utility @coversDefaultClass \Drupal\Component\Utility\SafeMarkup


  • class \Drupal\Tests\UnitTestCase extends \Drupal\Tests\PHPUnit_Framework_TestCase

Expanded class hierarchy of SafeMarkupTest


core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php, line 23
Contains \Drupal\Tests\Component\Utility\SafeMarkupTest.


View source
class SafeMarkupTest extends UnitTestCase {

   * The error message of the last error in the error handler.
   * @var string
  protected $lastErrorMessage;

   * The error number of the last error in the error handler.
   * @var int
  protected $lastErrorNumber;

   * {@inheritdoc}
  protected function tearDown() {

   * Tests SafeMarkup::isSafe() with different objects.
   * @covers ::isSafe
  public function testIsSafe() {
    $safe_string = $this
    $string_object = new SafeMarkupTestString('test');

   * Tests SafeMarkup::checkPlain().
   * @dataProvider providerCheckPlain
   * @covers ::checkPlain
   * @param string $text
   *   The text to provide to SafeMarkup::checkPlain().
   * @param string $expected
   *   The expected output from the function.
   * @param string $message
   *   The message to provide as output for the test.
  function testCheckPlain($text, $expected, $message) {
    $result = SafeMarkup::checkPlain($text);
      ->assertTrue($result instanceof HtmlEscapedText);
      ->assertEquals($expected, $result, $message);

   * Tests Drupal\Component\Render\HtmlEscapedText.
   * Verifies that the result of SafeMarkup::checkPlain() is the same as using
   * HtmlEscapedText directly.
   * @dataProvider providerCheckPlain
   * @param string $text
   *   The text to provide to the HtmlEscapedText constructor.
   * @param string $expected
   *   The expected output from the function.
   * @param string $message
   *   The message to provide as output for the test.
  function testHtmlEscapedText($text, $expected, $message) {
    $result = new HtmlEscapedText($text);
      ->assertEquals($expected, $result, $message);

   * Data provider for testCheckPlain() and testEscapeString().
   * @see testCheckPlain()
  function providerCheckPlain() {

    // Checks that invalid multi-byte sequences are escaped.
    $tests[] = array(
      'Escapes invalid sequence "Foo\\xC0barbaz"',
    $tests[] = array(
      'Escapes invalid sequence "\\xc2\\""',
    $tests[] = array(
      'Does not escape valid sequence "Fooÿñ"',

    // Checks that special characters are escaped.
    $tests[] = array(
      'Escapes &lt;script&gt; even inside an object that implements MarkupInterface.',
    $tests[] = array(
      'Escapes &lt;script&gt;',
    $tests[] = array(
      'Escapes reserved HTML characters.',
    $tests[] = array(
      'Escapes reserved HTML characters even inside an object that implements MarkupInterface.',
    return $tests;

   * Tests string formatting with SafeMarkup::format().
   * @dataProvider providerFormat
   * @covers ::format
   * @param string $string
   *   The string to run through SafeMarkup::format().
   * @param string[] $args
   *   The arguments to pass into SafeMarkup::format().
   * @param string $expected
   *   The expected result from calling the function.
   * @param string $message
   *   The message to display as output to the test.
   * @param bool $expected_is_safe
   *   Whether the result is expected to be safe for HTML display.
  public function testFormat($string, array $args, $expected, $message, $expected_is_safe) {
    $result = SafeMarkup::format($string, $args);
      ->assertEquals($expected, $result, $message);
      ->assertEquals($expected_is_safe, SafeMarkup::isSafe($result), 'SafeMarkup::format correctly sets the result as safe or not safe.');
    foreach ($args as $arg) {
        ->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg));

   * Data provider for testFormat().
   * @see testFormat()
  function providerFormat() {
    $tests[] = array(
      'Simple text',
      'Simple text',
      'SafeMarkup::format leaves simple text alone.',
    $tests[] = array(
      'Escaped text: @value',
        '@value' => '<script>',
      'Escaped text: &lt;script&gt;',
      'SafeMarkup::format replaces and escapes string.',
    $tests[] = array(
      'Escaped text: @value',
        '@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>'),
      'Escaped text: <span>Safe HTML</span>',
      'SafeMarkup::format does not escape an already safe string.',
    $tests[] = array(
      'Placeholder text: %value',
        '%value' => '<script>',
      'Placeholder text: <em class="placeholder">&lt;script&gt;</em>',
      'SafeMarkup::format replaces, escapes and themes string.',
    $tests[] = array(
      'Placeholder text: %value',
        '%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>'),
      'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>',
      'SafeMarkup::format does not escape an already safe string themed as a placeholder.',
    $tests['javascript-protocol-url'] = [
      'Simple text <a href=":url">giraffe</a>',
        ':url' => 'javascript://',
      'Simple text <a href="//;bar">giraffe</a>',
      'Support for filtering bad protocols',
    $tests['external-url'] = [
      'Simple text <a href=":url">giraffe</a>',
        ':url' => '',
      'Simple text <a href=";bar">giraffe</a>',
      'Support for filtering bad protocols',
    $tests['relative-url'] = [
      'Simple text <a href=":url">giraffe</a>',
        ':url' => '/node/1?foo&bar',
      'Simple text <a href="/node/1?foo&amp;bar">giraffe</a>',
      'Support for filtering bad protocols',
    $tests['fragment-with-special-chars'] = [
      'Simple text <a href=":url">giraffe</a>',
        ':url' => ';',
      'Simple text <a href=";lt;">giraffe</a>',
      'Support for filtering bad protocols',
    $tests['mailto-protocol'] = [
      'Hey giraffe <a href=":url">MUUUH</a>',
        ':url' => '',
      'Hey giraffe <a href="">MUUUH</a>',
    $tests['js-with-fromCharCode'] = [
      'Hey giraffe <a href=":url">MUUUH</a>',
        ':url' => "javascript:alert(String.fromCharCode(88,83,83))",
      'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>',

    // Test some "URL" values that are not RFC 3986 compliant URLs. The result
    // of SafeMarkup::format() should still be valid HTML (other than the
    // value of the "href" attribute not being a valid URL), and not
    // vulnerable to XSS.
    $tests['non-url-with-colon'] = [
      'Hey giraffe <a href=":url">MUUUH</a>',
        ':url' => "llamas: they are not URLs",
      'Hey giraffe <a href=" they are not URLs">MUUUH</a>',
    $tests['non-url-with-html'] = [
      'Hey giraffe <a href=":url">MUUUH</a>',
        ':url' => "<span>not a url</span>",
      'Hey giraffe <a href="&lt;span&gt;not a url&lt;/span&gt;">MUUUH</a>',
    return $tests;

   * Custom error handler that saves the last error.
   * We need this custom error handler because we cannot rely on the error to
   * exception conversion as __toString is never allowed to leak any kind of
   * exception.
   * @param int $error_number
   *   The error number.
   * @param string $error_message
   *   The error message.
  public function errorHandler($error_number, $error_message) {
    $this->lastErrorNumber = $error_number;
    $this->lastErrorMessage = $error_message;

   * String formatting with SafeMarkup::format() and an unsupported placeholder.
   * When you call SafeMarkup::format() with an unsupported placeholder, an
   * InvalidArgumentException should be thrown.
  public function testUnexpectedFormat() {

    // We set a custom error handler because of

    // We want this to trigger an error.
    $error = SafeMarkup::format('Broken placeholder: ~placeholder', [
      '~placeholder' => 'broken',
      ->assertEquals(E_USER_ERROR, $this->lastErrorNumber);
      ->assertEquals('Invalid placeholder: ~placeholder', $this->lastErrorMessage);



Namesort descending Modifiers Type Description Overrides
SafeMarkupTest::$lastErrorMessage protected property The error message of the last error in the error handler.
SafeMarkupTest::$lastErrorNumber protected property The error number of the last error in the error handler.
SafeMarkupTest::errorHandler public function Custom error handler that saves the last error.
SafeMarkupTest::providerCheckPlain function Data provider for testCheckPlain() and testEscapeString().
SafeMarkupTest::providerFormat function Data provider for testFormat().
SafeMarkupTest::tearDown protected function
SafeMarkupTest::testCheckPlain function Tests SafeMarkup::checkPlain().
SafeMarkupTest::testFormat public function Tests string formatting with SafeMarkup::format().
SafeMarkupTest::testHtmlEscapedText function Tests Drupal\Component\Render\HtmlEscapedText.
SafeMarkupTest::testIsSafe public function Tests SafeMarkup::isSafe() with different objects.
SafeMarkupTest::testUnexpectedFormat public function String formatting with SafeMarkup::format() and an unsupported placeholder.
UnitTestCase::$randomGenerator protected property The random generator.
UnitTestCase::$root protected property The app root.
UnitTestCase::assertArrayEquals protected function Asserts if two arrays are equal by sorting them first.
UnitTestCase::getBlockMockWithMachineName protected function Mocks a block with a block plugin.
UnitTestCase::getClassResolverStub protected function Returns a stub class resolver.
UnitTestCase::getConfigFactoryStub public function Returns a stub config factory that behaves according to the passed in array.
UnitTestCase::getConfigStorageStub public function Returns a stub config storage that returns the supplied configuration.
UnitTestCase::getContainerWithCacheTagsInvalidator protected function Sets up a container with a cache tags invalidator.
UnitTestCase::getRandomGenerator protected function Gets the random generator for the utility methods.
UnitTestCase::getStringTranslationStub public function Returns a stub translation manager that just returns the passed string.
UnitTestCase::randomMachineName public function Generates a unique random string containing letters and numbers.
UnitTestCase::setUp protected function 259