function FilterUnitTestCase::testHtmlFilter
Tests filter settings, defaults, access restrictions and similar.
@todo This is for functions like filter_filter and check_markup, whose functionality is not completely focused on filtering. Some ideas: restricting formats according to user permissions, proper cache handling, defaults -- allowed tags/attributes/protocols.
@todo It is possible to add script, iframe etc. to allowed tags, but this makes HTML filter completely ineffective.
@todo Class, id, name and xmlns should be added to disallowed attributes, or better a whitelist approach should be used for that too.
File
-
modules/
filter/ filter.test, line 1179
Class
- FilterUnitTestCase
- Unit tests for core filters.
Code
function testHtmlFilter() {
// Setup dummy filter object.
$filter = new stdClass();
$filter->settings = array(
'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <test-element>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
);
// HTML filter is not able to secure some tags, these should never be
// allowed.
$f = _filter_html('<script />', $filter);
$this->assertNoNormalized($f, 'script', 'HTML filter should always remove script tags.');
$f = _filter_html('<iframe />', $filter);
$this->assertNoNormalized($f, 'iframe', 'HTML filter should always remove iframe tags.');
$f = _filter_html('<object />', $filter);
$this->assertNoNormalized($f, 'object', 'HTML filter should always remove object tags.');
$f = _filter_html('<style />', $filter);
$this->assertNoNormalized($f, 'style', 'HTML filter should always remove style tags.');
// Some tags make CSRF attacks easier, let the user take the risk herself.
$f = _filter_html('<img />', $filter);
$this->assertNoNormalized($f, 'img', 'HTML filter should remove img tags on default.');
$f = _filter_html('<input />', $filter);
$this->assertNoNormalized($f, 'img', 'HTML filter should remove input tags on default.');
// Filtering content of some attributes is infeasible, these shouldn't be
// allowed too.
$f = _filter_html('<p style="display: none;" />', $filter);
$this->assertNoNormalized($f, 'style', 'HTML filter should remove style attribute on default.');
$f = _filter_html('<p onerror="alert(0);" />', $filter);
$this->assertNoNormalized($f, 'onerror', 'HTML filter should remove on* attributes on default.');
$f = _filter_html('<code onerror> </code>', $filter);
$this->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes on default.');
// Custom tags are supported and should be allowed through.
$f = _filter_html('<test-element></test-element>', $filter);
$this->assertNormalized($f, 'test-element', 'HTML filter should allow custom elements.');
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.