Index: trunk/phase3/tests/phpunit/includes/SanitizerTest.php |
— | — | @@ -68,5 +68,46 @@ |
69 | 69 | 'Self-closing closing div' |
70 | 70 | ); |
71 | 71 | } |
| 72 | + |
| 73 | + function testDecodeTagAttributes() { |
| 74 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' ); |
| 75 | + $this->assertEquals( Sanitizer::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' ); |
| 76 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' ); |
| 77 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' ); |
| 78 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); |
| 79 | + |
| 80 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); |
| 81 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); |
| 82 | + |
| 83 | + $this->assertEquals( Sanitizer::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' ); |
| 84 | + $this->assertEquals( Sanitizer::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' ); |
| 85 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' ); |
| 86 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' ); |
| 87 | + |
| 88 | + # Invalid beginning |
| 89 | + $this->assertEquals( Sanitizer::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' ); |
| 90 | + $this->assertEquals( Sanitizer::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' ); |
| 91 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' ); |
| 92 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' ); |
| 93 | + |
| 94 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' ); |
| 95 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' ); |
| 96 | + |
| 97 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' ); |
| 98 | + |
| 99 | + # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539) |
| 100 | + $this->assertEquals( Sanitizer::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' ); |
| 101 | + |
| 102 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' ); |
| 103 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' ); |
| 104 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' ); |
| 105 | + |
| 106 | + |
| 107 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' ); |
| 108 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' ); |
| 109 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' ); |
| 110 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&"' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' ); |
| 111 | + $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' ); |
| 112 | + } |
72 | 113 | } |
73 | 114 | |
Index: trunk/phase3/includes/Sanitizer.php |
— | — | @@ -39,7 +39,7 @@ |
40 | 40 | * Allows some... latitude. |
41 | 41 | * Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes |
42 | 42 | */ |
43 | | -$attribFirst = '[:A-Z_a-z-.0-9]'; // more lenient than standards (by allowing [-.0-9]) |
| 43 | +$attribFirst = '[:A-Z_a-z0-9]'; |
44 | 44 | $attrib = '[:A-Z_a-z-.0-9]'; |
45 | 45 | $space = '[\x09\x0a\x0d\x20]'; |
46 | 46 | define( 'MW_ATTRIBS_REGEX', |