‪TYPO3CMS  9.5
DefaultSanitizerBuilderTest.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types = 1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
19 
21 use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
22 
23 class ‪DefaultSanitizerBuilderTest extends FunctionalTestCase
24 {
28  protected ‪$initializeDatabase = false;
29 
30  public static function ‪isSanitizedDataProvider(): array
31  {
32  return [
33  '#010' => [
34  '<unknown unknown="unknown">value</unknown>',
35  '&lt;unknown unknown="unknown"&gt;value&lt;/unknown&gt;',
36  ],
37  '#011' => [
38  '<div class="nested"><unknown unknown="unknown">value</unknown></div>',
39  '<div class="nested">&lt;unknown unknown="unknown"&gt;value&lt;/unknown&gt;</div>',
40  ],
41  '#012' => [
42  '&lt;script&gt;alert(1)&lt;/script&gt;',
43  '&lt;script&gt;alert(1)&lt;/script&gt;',
44  ],
45  // @todo bug in https://github.com/Masterminds/html5-php/issues
46  // '#013' => [
47  // '<strong>Given that x < y and y > z...</strong>',
48  // '<strong>Given that x &lt; y and y &gt; z...</strong>',
49  // ],
50  '#020' => [
51  '<div unknown="unknown">value</div>',
52  '<div>value</div>',
53  ],
54  '#030' => [
55  '<div class="class">value</div>',
56  '<div class="class">value</div>',
57  ],
58  '#031' => [
59  '<div data-value="value">value</div>',
60  '<div data-value="value">value</div>',
61  ],
62  '#032' => [
63  '<div data-bool>value</div>',
64  '<div data-bool>value</div>',
65  ],
66  '#040' => [
67  '<img src="mailto:noreply@typo3.org" onerror="alert(1)">',
68  '',
69  ],
70  '#041' => [
71  '<img src="https://typo3.org/logo.svg" onerror="alert(1)">',
72  '<img src="https://typo3.org/logo.svg">',
73  ],
74  '#042' => [
75  '<img src="http://typo3.org/logo.svg" onerror="alert(1)">',
76  '<img src="http://typo3.org/logo.svg">',
77  ],
78  '#043' => [
79  '<img src="/typo3.org/logo.svg" onerror="alert(1)">',
80  '<img src="/typo3.org/logo.svg">',
81  ],
82  '#044' => [
83  '<img src="typo3.org/logo.svg" onerror="alert(1)">',
84  '<img src="typo3.org/logo.svg">',
85  ],
86  '#045' => [
87  '<img src="//typo3.org/logo.svg" onerror="alert(1)">',
88  '',
89  ],
90  '#050' => [
91  '<a href="https://typo3.org/" role="button">value</a>',
92  '<a href="https://typo3.org/" role="button">value</a>',
93  ],
94  '#051' => [
95  '<a href="ssh://example.org/" role="button">value</a>',
96  '<a role="button">value</a>',
97  ],
98  '#052' => [
99  '<a href="javascript:alert(1)" role="button">value</a>',
100  '<a role="button">value</a>',
101  ],
102  '#053' => [
103  '<a href="data:text/html;..." role="button">value</a>',
104  '<a role="button">value</a>',
105  ],
106  '#054' => [
107  '<a href="t3://page?uid=1" role="button">value</a>',
108  '<a href="t3://page?uid=1" role="button">value</a>',
109  ],
110  '#055' => [
111  '<a href="tel:123456789" role="button">value</a>',
112  '<a href="tel:123456789" role="button">value</a>',
113  ],
114  '#056' => [
115  // config.spamProtectEmailAddresses = [n]
116  '<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">email(at)domain.tld</a>',
117  '<a href="javascript:linkTo_UnCryptMailto(%27ocknvq%2CkphqBrtczku%5C%2Fmkghgt0fg%27);">email(at)domain.tld</a>',
118  ],
119  '#057' => [
120  // config.spamProtectEmailAddresses = ascii
121  '<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#115;&#111;&#109;&#101;&#46;&#98;&#111;&#100;&#121;&#64;&#116;&#101;&#115;&#116;&#46;&#116;&#121;&#112;&#111;&#51;&#46;&#111;&#114;&#103;">some.body(at)test.typo3(dot)org</a>',
122  // HTML entity encoding is not really a "protection", `Masterminds/html5-php` per default
123  // decodes those entities, which is good to have normalized attr values
124  '<a href="mailto:some.body@test.typo3.org">some.body(at)test.typo3(dot)org</a>',
125  ],
126  '#058' => [
127  // `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
128  '<a href="/" target="FEopenLink" onclick="openPic(\'\/\',\'FEopenLink\',\'width=200,height=300\');return false;">Link</a>',
129  '<a href="/" target="FEopenLink" onclick="openPic(\'\/\',\'FEopenLink\',\'width=200,height=300\');return false;">Link</a>'
130  ],
131  '#059' => [
132  // `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
133  '<a href="/index.php?eID=tx_cms_showpic" onclick="openPic(\'\/index.php?eID=tx_cms_showpic\u0026file=77\u0026md5=45a4b6287f68a61cf617a470e853d857461bc1d2\u0026parameters%5B0%5D=W10%3D\',\'thePicture\',\'width=1200,height=1799,status=0,menubar=0,=\'); return false;" target="thePicture"><img src="/logo.png"></a>',
134  '<a href="/index.php?eID=tx_cms_showpic" onclick="openPic(\'\/index.php?eID=tx_cms_showpic\u0026file=77\u0026md5=45a4b6287f68a61cf617a470e853d857461bc1d2\u0026parameters%5B0%5D=W10%3D\',\'thePicture\',\'width=1200,height=1799,status=0,menubar=0,=\'); return false;" target="thePicture"><img src="/logo.png"></a>'
135  ],
136  '#090' => [
137  '<p data-bool><span data-bool><strong data-bool>value</strong></span></p>',
138  '<p data-bool><span data-bool><strong data-bool>value</strong></span></p>'
139  ],
140  // @todo `style` used in Introduction Package, inline CSS should be removed
141  '#810' => [
142  '<span style="color: orange">value</span>',
143  '<span style="color: orange">value</span>',
144  ],
145  ];
146  }
147 
154  public function ‪isSanitized(string $payload, string $expectation): void
155  {
156  $factory = new ‪SanitizerBuilderFactory();
157  $builder = $factory->build('default');
158  $sanitizer = $builder->build();
159  self::assertSame($expectation, $sanitizer->sanitize($payload));
160  }
161 }
‪TYPO3\CMS\Core\Tests\Functional\Html\DefaultSanitizerBuilderTest\isSanitized
‪isSanitized(string $payload, string $expectation)
Definition: DefaultSanitizerBuilderTest.php:153
‪TYPO3\CMS\Core\Tests\Functional\Html\DefaultSanitizerBuilderTest\isSanitizedDataProvider
‪static isSanitizedDataProvider()
Definition: DefaultSanitizerBuilderTest.php:29
‪TYPO3\CMS\Core\Tests\Functional\Html
Definition: DefaultSanitizerBuilderTest.php:18
‪TYPO3\CMS\Core\Tests\Functional\Html\DefaultSanitizerBuilderTest
Definition: DefaultSanitizerBuilderTest.php:24
‪TYPO3\CMS\Core\Tests\Functional\Html\DefaultSanitizerBuilderTest\$initializeDatabase
‪bool $initializeDatabase
Definition: DefaultSanitizerBuilderTest.php:27
‪TYPO3\CMS\Core\Html\SanitizerBuilderFactory
Definition: SanitizerBuilderFactory.php:35