[Tag Processor] Merge the test files into a single file

phpunit/html/wp-html-tag-processor-standalone-test.php → phpunit/html/wp-html-tag-processor-test.php

@@ -1,26 +1,11 @@
 <?php
 /**
  * Unit tests covering WP_HTML_Tag_Processor functionality.
- * This file takes about 100ms to run because it does not load
- * any WordPress libraries:
- *
- * ```
- * ./vendor/bin/phpunit --no-configuration ./phpunit/html/wp-html-tag-processor-test.php
- * ```
- *
- * Put all new WP_HTML_Tag_Processor tests here, and only add new cases to
- * wp-html-tag-processor-test-wp.php when they cannot run without WordPress.
  *
  * @package WordPress
  * @subpackage HTML
  */
 
-if ( ! function_exists( 'esc_attr' ) ) {
-	function esc_attr( $string ) {
-		return htmlspecialchars( $string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'utf-8', false );
-	}
-}
-
 if ( ! class_exists( 'WP_UnitTestCase' ) ) {
 	abstract class WP_UnitTestCase extends \PHPUnit\Framework\TestCase {}
 }
@@ -256,31 +241,41 @@ public function test_set_attribute_on_a_non_existing_tag_does_not_change_the_mar
 	}
 
 	/**
-	 * Passing a double quote inside of an attribute values could lead to an XSS attack as follows:
+	 * Passing unescaped attribute values could lead to XSS attacks and malformed HTML.
+	 * This test ensures that we properly escape the values to avoid these problems.
 	 *
+	 * Example:
 	 * <code>
 	 *     $p = new WP_HTML_Tag_Processor( '<div class="header"></div>' );
 	 *     $p->next_tag();
-	 *     $p->set_attribute('class', '" onclick="alert');
-	 *     echo $p;
-	 *     // <div class="" onclick="alert"></div>
-	 * </code>
+	 *     $p->set_attribute( 'class', '" onclick="alert' );
 	 *
-	 * To prevent it, `set_attribute` calls `esc_attr()` on its given values.
+	 *     // Not this!
+	 *     '<div class="" onclick="alert"></div>'
 	 *
-	 * <code>
-	 *    <div class="&quot; onclick=&quot;alert"></div>
+	 *     // This instead…
+	 *     '<div class="&quot; onclick=&quot;alert"></div>'
 	 * </code>
 	 *
 	 * @ticket 56299
 	 *
 	 * @dataProvider data_set_attribute_escapable_values
 	 * @covers set_attribute
 	 */
-	public function test_set_attribute_prevents_xss( $attribute_value ) {
+	public function test_set_attribute_escapes_value($value ) {
+		$spy = function ( $safe_text, $text ) use ( $value ) {
+			$this->assertEquals( $value, $text );
+
+			return $safe_text;
+		};
+
+		add_filter( 'attribute_escape', $spy );
+
 		$p = new WP_HTML_Tag_Processor( '<div></div>' );
 		$p->next_tag();
-		$p->set_attribute( 'test', $attribute_value );
+		$p->set_attribute( 'test', $value );
+
+		remove_filter( 'attribute_escape', $spy );
 
 		/*
 		 * Testing the escaping is hard using tools that properly parse
@@ -297,7 +292,7 @@ public function test_set_attribute_prevents_xss( $attribute_value ) {
 		preg_match( '~^<div test=(.*)></div>$~', (string) $p, $match );
 		list( , $actual_value ) = $match;
 
-		$this->assertEquals( $actual_value, '"' . esc_attr( $attribute_value ) . '"' );
+		$this->assertEquals( $actual_value, '"' . esc_attr( $value ) . '"' );
 	}
 
 	/**