r100584 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r100583‎ \| r100584 \| r100585 >
Date:	08:39, 24 October 2011
Author:	hashar
Status:	ok
Tags:
Comment:	Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
Modified paths:	/trunk/phase3/tests/phpunit/includes/SanitizerTest.php (modified) (history)

Diff [purge]

Index: trunk/phase3/tests/phpunit/includes/SanitizerTest.php
—	—	@@ -126,5 +126,31 @@
127	127	$GLOBALS['wgCleanupPresentationalAttributes'] = false;
128	128	$this->assertEquals( Sanitizer::fixTagAttributes( 'clear="left"', 'br' ), ' clear="left"', 'Deprecated attributes are not converted to styles when enabled.' );
129	129	}
	130	+
	131	+ /**
	132	+ * @dataProvider provideCssCommentsFixtures
	133	+ */
	134	+ function testCssCommentsChecking( $expected, $css, $message = '' ) {
	135	+ $this->assertEquals(
	136	+ $expected,
	137	+ Sanitizer::checkCss( $css ),
	138	+ $message
	139	+ );
	140	+ }
	141	+
	142	+ function provideCssCommentsFixtures() {
	143	+ /** array( <expected>, <css>, [message] ) */
	144	+ return array(
	145	+ array( ' ', '/**/' ),
	146	+ array( ' ', '/****/' ),
	147	+ array( ' ', '/* comment */' ),
	148	+ array( ' ', "\\2f\\2a foo \\2a\\2f",
	149	+ 'Backslash-escaped comments must be stripped (bug 28450)' ),
	150	+ array( '', '/* unfinished comment structure',
	151	+ 'Remove anything after a comment-start token' ),
	152	+ array( '', "\\2f\\2a unifinished comment'",
	153	+ 'Remove anything after a backslash-escaped comment-start token' ),
	154	+ );
	155	+ }
130	156	}
131	157

Revision	Commit summary	Author	Date
r85856	Fix for bug 28450: escaped CSS comments	tstarling	02:10, 12 April 2011

16:09, 24 October 2011 Platonides (talk | contribs) changed the status of r100584 [removed: new added: ok]