-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tag Processor: throw when supplied unacceptible attribute names. (#44431
) The `WP_HTML_Tag_Processor` allows setting new HTML attributes with a given name and value. Previously this has allowed any string input for the attribute name, but we have to be careful not to print output that might break the HTML we're modifying. In this patch we're adding a check against the given attribute name and rejecting invalid or unacceptible names. WordPress here is more restrictive than HTML5. In order to avoid crashing real sites this only throws an exception when `WP_DEBUG` is set and active; in production environments it ignores the attribute update, skipping the invalid name. Co-authored-by: Adam Zieliński <[email protected]>
- Loading branch information
Showing
3 changed files
with
1,377 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| <?php | ||
| /** | ||
| * Unit tests covering WP_HTML_Tag_Processor functionality. | ||
| * | ||
| * @package WordPress | ||
| * @subpackage HTML | ||
| */ | ||
|
|
||
| if ( ! function_exists( 'esc_attr' ) ) { | ||
| function esc_attr( $s ) { | ||
| return str_replace( '"', '"', $s ); | ||
| } | ||
| } | ||
|
|
||
| if ( ! class_exists( 'WP_UnitTestCase' ) ) { | ||
| abstract class WP_UnitTestCase extends \PHPUnit\Framework\TestCase {} | ||
| } | ||
|
|
||
| require_once __DIR__ . '/../../lib/experimental/html/index.php'; | ||
|
|
||
| /** | ||
| * Runs tests in isolated PHP process for verifying behaviors | ||
| * that depend on the `WP_DEBUG` constant value, if set. | ||
| * | ||
| * @group html | ||
| * | ||
| * @coversDefaultClass WP_HTML_Tag_Processor | ||
| */ | ||
| class WP_HTML_Tag_Processor_Isolated_Test extends WP_UnitTestCase { | ||
| // phpcs:disable WordPress.NamingConventions.ValidVariableName.PropertyNotSnakeCase | ||
| protected $runTestInSeparateProcess = true; | ||
|
|
||
| /** | ||
| * Attribute names with invalid characters should be rejected. | ||
| * | ||
| * When WP_DEBUG is set we want to throw an error to alert a | ||
| * developer that they are sending invalid attribute names. | ||
| * | ||
| * @dataProvider data_invalid_attribute_names | ||
| * @covers set_attribute | ||
| */ | ||
| public function test_set_attribute_throw_when_given_invalid_attribute_names_in_debug_mode( $attribute_name ) { | ||
| define( 'WP_DEBUG', true ); | ||
| $p = new WP_HTML_Tag_Processor( '<span></span>' ); | ||
|
|
||
| $this->expectException( Exception::class ); | ||
|
|
||
| $p->next_tag(); | ||
| $p->set_attribute( $attribute_name, 'test' ); | ||
|
|
||
| $this->assertEquals( '<span></span>', (string) $p ); | ||
| } | ||
|
|
||
| /** | ||
| * Attribute names with invalid characters should be rejected. | ||
| * | ||
| * When WP_DEBUG isn't set we want to quietly fail to set the | ||
| * invalid attribute to avoid breaking the HTML and to do so | ||
| * without breaking the entire page. | ||
| * | ||
| * @dataProvider data_invalid_attribute_names | ||
| * @covers set_attribute | ||
| */ | ||
| public function test_set_attribute_silently_fails_when_given_invalid_attribute_names_outside_of_debug_mode( $attribute_name ) { | ||
| $p = new WP_HTML_Tag_Processor( '<span></span>' ); | ||
|
|
||
| $p->next_tag(); | ||
| $p->set_attribute( $attribute_name, 'test' ); | ||
|
|
||
| $this->assertEquals( '<span></span>', (string) $p ); | ||
| } | ||
|
|
||
| /** | ||
| * Data provider with invalid HTML attribute names. | ||
| * | ||
| * @return array { | ||
| * @type string $attribute_name Text considered invalid for HTML attribute names. | ||
| * } | ||
| */ | ||
| public function data_invalid_attribute_names() { | ||
| return array( | ||
| 'controls_null' => array( "i\x00d" ), | ||
| 'controls_newline' => array( "\nbroken-expectations" ), | ||
| 'space' => array( 'aria label' ), | ||
| 'double-quote' => array( '"id"' ), | ||
| 'single-quote' => array( "'id'" ), | ||
| 'greater-than' => array( 'sneaky>script' ), | ||
| 'solidus' => array( 'data/test-id' ), | ||
| 'equals' => array( 'checked=checked' ), | ||
| 'noncharacters_1' => array( html_entity_decode( 'anything' ) ), | ||
| 'noncharacters_2' => array( html_entity_decode( 'test' ) ), | ||
| 'noncharacters_3' => array( html_entity_decode( 'test' ) ), | ||
| 'noncharacters_4' => array( html_entity_decode( 'test' ) ), | ||
| 'noncharacters_5' => array( html_entity_decode( '' ) ), | ||
| 'wp_no_lt' => array( 'id<script' ), | ||
| 'wp_no_amp' => array( 'class<script' ), | ||
| ); | ||
| } | ||
|
|
||
| /** | ||
| * Attribute names with only valid characters should not be rejected. | ||
| * | ||
| * > Attributes have a name and a value. Attribute names must | ||
| * > consist of one or more characters other than controls, | ||
| * > U+0020 SPACE, U+0022 ("), U+0027 ('), U+003E (>), | ||
| * > U+002F (/), U+003D (=), and noncharacters. | ||
| * | ||
| * @see https://html.spec.whatwg.org/#attributes-2 | ||
| * | ||
| * @dataProvider data_valid_attribute_names | ||
| * @covers set_attribute | ||
| */ | ||
| public function test_set_attribute_does_not_reject_valid_attribute_names( $attribute_name ) { | ||
| define( 'WP_DEBUG', true ); | ||
| $p = new WP_HTML_Tag_Processor( '<span></span>' ); | ||
|
|
||
| $p->next_tag(); | ||
| $p->set_attribute( $attribute_name, 'test' ); | ||
|
|
||
| $this->assertEquals( "<span $attribute_name=\"test\"></span>", (string) $p ); | ||
| } | ||
|
|
||
| /** | ||
| * Data provider with valid HTML attribute names. | ||
| * | ||
| * @return array { | ||
| * @type string $attribute_name Text considered valid for HTML attribute names. | ||
| * } | ||
| */ | ||
| public function data_valid_attribute_names() { | ||
| return array( | ||
| 'ascii_letters' => array( 'abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ' ), | ||
| 'ascii_numbers' => array( '0123456789' ), | ||
| 'symbols' => array( '!@#$%^*()[]{};:\\||,.?`~£§±' ), | ||
| 'emoji' => array( '❌' ), | ||
| 'utf8_diacritics' => array( 'ÁÄÂÀÃÅČÇĆĎÉĚËÈÊẼĔȆĞÍÌÎÏİŇÑÓÖÒÔÕØŘŔŠŞŤÚŮÜÙÛÝŸŽáäâàãåčçćďéěëèêẽĕȇğíìîïıňñóöòôõøðřŕšşťúůüùûýÿžþÞĐđßÆa' ), | ||
| 'hebrew_accents' => array( html_entity_decode( '֝a' ) ), | ||
| // See https://arxiv.org/abs/2111.00169. | ||
| 'rtl_magic' => array( html_entity_decode( '⁧⁦abc⁩⁦def⁩⁩' ) ), | ||
| // Only a single unicode "noncharacter" should be rejected. Specific byte segments used in the "noncharacter" sequence are valid. | ||
| 'noncharacter_segments' => array( "\xFF\xFE" ), | ||
| ); | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.