diff options
author | Dries Buytaert <dries@buytaert.net> | 2008-12-09 19:53:36 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2008-12-09 19:53:36 +0000 |
commit | 8802e0d3aff7b993a0325e46eb33f3855a72bbe3 (patch) | |
tree | b0b96ae81cd30a00e99883c502f2492236535957 /modules | |
parent | 8ad5cba994367f5b5fe35a2caaae7ec321ecaebd (diff) | |
download | brdo-8802e0d3aff7b993a0325e46eb33f3855a72bbe3.tar.gz brdo-8802e0d3aff7b993a0325e46eb33f3855a72bbe3.tar.bz2 |
- Patch #276111 by pwolanin, Gabor et al: validate translation strings on import.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/locale/locale.test | 104 |
1 files changed, 102 insertions, 2 deletions
diff --git a/modules/locale/locale.test b/modules/locale/locale.test index 26904e824..932cde227 100644 --- a/modules/locale/locale.test +++ b/modules/locale/locale.test @@ -4,8 +4,8 @@ class LocaleTestCase extends DrupalWebTestCase { function getInfo() { return array( - 'name' => t('String translate'), - 'description' => 'Adds a new locale and translates its name', + 'name' => t('String translate and validate'), + 'description' => 'Adds a new locale and translates its name. Checks the validation of translation strings.', 'group' => 'Locale', ); } @@ -110,6 +110,67 @@ class LocaleTestCase extends DrupalWebTestCase { $this->drupalPost('admin/build/translate/search', $search, t('Search')); $this->assertNoText($name, 'Search now can not find the name'); } + + function testLocaleStringTest() { + global $base_url; + + // User to add language and strings + $admin_user = $this->drupalCreateUser(array('administer languages', 'access administration pages', 'translate interface')); + $this->drupalLogin($admin_user); + $langcode = str_replace('simpletest_', 'si-', $this->randomName(6)); + // The English name for the language. This will be translated. + $name = $this->randomName(16); + // The native name for the language. + $native = $this->randomName(16); + // The domain prefix. Not tested yet. + $prefix = strtolower(str_replace('si-', '', $langcode)); + // This is the language indicator on the translation search screen for + // untranslated strings. Copied straight from locale.inc. + $language_indicator = "<em class=\"locale-untranslated\">$langcode</em> "; + // These will be the invalid translations of $name. + $key = $this->randomName(16); + $bad_translations[$key] = "<script>alert('xss');</script>" . $key; + $key = $this->randomName(16); + $bad_translations[$key] = '<img SRC="javascript:alert(\'xss\');">' . $key; + $key = $this->randomName(16); + $bad_translations[$key] = '<<SCRIPT>alert("xss");//<</SCRIPT>' . $key; + $key = $this->randomName(16); + $bad_translations[$key] ="<BODY ONLOAD=alert('xss')>" . $key; + + // Add language. + $edit = array ( + 'langcode' => $langcode, + 'name' => $name, + 'native' => $native, + 'prefix' => $prefix, + 'direction' => '0', + ); + $this->drupalPost('admin/settings/language/add', $edit, t('Add custom language')); + // Add string. + t($name, array(), $langcode); + // Reset locale cache. + $search = array ( + 'string' => $name, + 'language' => 'all', + 'translation' => 'all', + 'group' => 'all', + ); + $this->drupalPost('admin/build/translate/search', $search, t('Search')); + // Find the edit path + $content = $this->drupalGetContent(); + $this->assertTrue(preg_match('@(admin/build/translate/edit/[0-9]+)@', $content, $matches), t('Found the edit path')); + $path = $matches[0]; + foreach ($bad_translations as $key => $translation) { + $edit = array ( + "translations[$langcode]" => $translation, + ); + $this->drupalPost($path, $edit, t('Save translations')); + // Check for a form error on the textarea. + $form_class = $this->xpath('//form[@id="locale-translate-edit-form"]//textarea/@class'); + $this->assertNotIdentical(FALSE, strpos($form_class[0], 'error'), t('The string was rejected as unsafe.')); + $this->assertNoText(t('The string has been saved.'), t('The string was not saved.')); + } + } } /** @@ -154,6 +215,20 @@ class LocaleImportFunctionalTest extends DrupalWebTestCase { // The importation should have create 7 strings. $this->assertRaw(t('The translation was successfully imported. There are %number newly created translated strings, %update strings were updated and %delete strings were removed.', array('%number' => 7, '%update' => 0, '%delete' => 0)), t('The translation file was successfully imported')); + + // Try importing a .po file with script. + $name = tempnam(file_directory_temp(), "po_"); + file_put_contents($name, $this->getBadPoFile()); + $this->drupalPost('admin/build/translate/import', array( + 'langcode' => 'fr', + 'files[file]' => $name, + ), t('Import')); + unlink($name); + // The importation should have created 1 string and rejected 2. + $this->assertRaw(t('The translation was successfully imported. There are %number newly created translated strings, %update strings were updated and %delete strings were removed.', array('%number' => 1, '%update' => 0, '%delete' => 0)), t('The translation file was successfully imported.')); + $skip_message = format_plural(2, 'One translation string was skipped because it contains disallowed HTML.', '@count translation strings were skipped because they contain disallowed HTML.'); + $this->assertRaw($skip_message, t('Unsafe strings were skipped.')); + } /** @@ -191,4 +266,29 @@ msgid "Sunday" msgstr "dimanche" EOF; } + + /** + * Helper function that returns a proper .po file. + */ + function getBadPoFile() { + return <<< EOF +msgid "" +msgstr "" +"Project-Id-Version: Drupal 6\\n" +"MIME-Version: 1.0\\n" +"Content-Type: text/plain; charset=UTF-8\\n" +"Content-Transfer-Encoding: 8bit\\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\\n" + +msgid "Save configuration" +msgstr "Enregistrer la configuration" + +msgid "edit" +msgstr "modifier<img SRC="javascript:alert(\'xss\');">" + +msgid "delete" +msgstr "supprimer<script>alert('xss');</script>" + +EOF; + } } |