diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-08-29 03:55:44 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-08-29 03:55:44 +0000 |
| commit | 5c5b3a149a928b4c6761a0b9161d383a83677ec7 (patch) | |
| tree | af914164f90ab16592eaa27f2b5f2de1bfead540 | |
| parent | 7c67c8ce209b0c6046e6ca76367958e61b2cb6ea (diff) | |
| download | brdo-5c5b3a149a928b4c6761a0b9161d383a83677ec7.tar.gz brdo-5c5b3a149a928b4c6761a0b9161d383a83677ec7.tar.bz2 | |
#560740 by sun and David_Rothstein: 'Escape all HTML' filter did not escape any HTML. Now that's a problem. (with tests)
| -rw-r--r-- | modules/filter/filter.module | 7 | ||||
| -rw-r--r-- | modules/filter/filter.test | 44 |
2 files changed, 38 insertions, 13 deletions
diff --git a/modules/filter/filter.module b/modules/filter/filter.module index af0bb31f7..cfdaa5a77 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -993,6 +993,13 @@ function _filter_autop($text) { } /** + * Escapes all HTML tags, so they will be visible instead of being effective. + */ +function _filter_html_escape($text) { + return trim(check_plain($text)); +} + +/** * @} End of "Standard filters". */ diff --git a/modules/filter/filter.test b/modules/filter/filter.test index d807ad467..5acfd610f 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -510,22 +510,16 @@ class FilterUnitTestCase extends DrupalWebTestCase { /** * Test the HTML escaping filter. - * - * Here we test only whether check_plain() does what it should. */ function testNoHtmlFilter() { - // Test that characters that have special meaning in XML are changed into - // entities. - $f = check_plain('<>&"'); - $this->assertEqual($f, '<>&"', t('No HTML filter basic test.')); - - // A single quote can also be used for evil things in some contexts. - $f = check_plain('\''); - $this->assertEqual($f, ''', t('No HTML filter -- single quote.')); + $this->_testEscapedHTML('_filter_html_escape'); + } - // Test that the filter is not fooled by different evasion techniques. - $f = check_plain("\xc2\""); - $this->assertEqual($f, '', t('No HTML filter -- invalid UTF-8.')); + /** + * Test that the check_plain() function escapes HTML correctly. + */ + function testCheckPlain() { + $this->_testEscapedHTML('check_plain'); } /** @@ -744,6 +738,30 @@ class FilterUnitTestCase extends DrupalWebTestCase { function assertNoNormalized($haystack, $needle, $message = '', $group = 'Other') { return $this->assertTrue(strpos(strtolower(decode_entities($haystack)), $needle) === FALSE, $message, $group); } + + /** + * Helper method to test functions that are intended to escape HTML. + * + * @param $function + * The name of the function to test. + */ + function _testEscapedHTML($function) { + // Define string replacements for the assertion messages. + $replacements = array('@function' => $function); + + // Test that characters that have special meaning in XML are changed into + // entities. + $f = $function('<>&"'); + $this->assertEqual($f, '<>&"', t('The @function() function correctly filters basic HTML entities.', $replacements)); + + // A single quote can also be used for evil things in some contexts. + $f = $function('\''); + $this->assertEqual($f, ''', t('The @function() function correctly filters single quotes.', $replacements)); + + // Test that the filter is not fooled by different evasion techniques. + $f = $function("\xc2\""); + $this->assertEqual($f, '', t('The @function() function correctly filters invalid UTF-8.', $replacements)); + } } /** |