diff options
| -rw-r--r-- | modules/filter/filter.module | 7 | ||||
| -rw-r--r-- | modules/filter/filter.test | 44 |
2 files changed, 38 insertions, 13 deletions
diff --git a/modules/filter/filter.module b/modules/filter/filter.module index af0bb31f7..cfdaa5a77 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -993,6 +993,13 @@ function _filter_autop($text) { } /** + * Escapes all HTML tags, so they will be visible instead of being effective. + */ +function _filter_html_escape($text) { + return trim(check_plain($text)); +} + +/** * @} End of "Standard filters". */ diff --git a/modules/filter/filter.test b/modules/filter/filter.test index d807ad467..5acfd610f 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -510,22 +510,16 @@ class FilterUnitTestCase extends DrupalWebTestCase { /** * Test the HTML escaping filter. - * - * Here we test only whether check_plain() does what it should. */ function testNoHtmlFilter() { - // Test that characters that have special meaning in XML are changed into - // entities. - $f = check_plain('<>&"'); - $this->assertEqual($f, '<>&"', t('No HTML filter basic test.')); - - // A single quote can also be used for evil things in some contexts. - $f = check_plain('\''); - $this->assertEqual($f, ''', t('No HTML filter -- single quote.')); + $this->_testEscapedHTML('_filter_html_escape'); + } - // Test that the filter is not fooled by different evasion techniques. - $f = check_plain("\xc2\""); - $this->assertEqual($f, '', t('No HTML filter -- invalid UTF-8.')); + /** + * Test that the check_plain() function escapes HTML correctly. + */ + function testCheckPlain() { + $this->_testEscapedHTML('check_plain'); } /** @@ -744,6 +738,30 @@ class FilterUnitTestCase extends DrupalWebTestCase { function assertNoNormalized($haystack, $needle, $message = '', $group = 'Other') { return $this->assertTrue(strpos(strtolower(decode_entities($haystack)), $needle) === FALSE, $message, $group); } + + /** + * Helper method to test functions that are intended to escape HTML. + * + * @param $function + * The name of the function to test. + */ + function _testEscapedHTML($function) { + // Define string replacements for the assertion messages. + $replacements = array('@function' => $function); + + // Test that characters that have special meaning in XML are changed into + // entities. + $f = $function('<>&"'); + $this->assertEqual($f, '<>&"', t('The @function() function correctly filters basic HTML entities.', $replacements)); + + // A single quote can also be used for evil things in some contexts. + $f = $function('\''); + $this->assertEqual($f, ''', t('The @function() function correctly filters single quotes.', $replacements)); + + // Test that the filter is not fooled by different evasion techniques. + $f = $function("\xc2\""); + $this->assertEqual($f, '', t('The @function() function correctly filters invalid UTF-8.', $replacements)); + } } /** |