public function testStripFilterIsDefaultFilterWithoutTidy()
{
$in = '<p class="foo" style="margin-top: 5px">I <em class="foo" style="color: red;">was</em> right <strong>there</strong>!</p>';
$doc = new Wibble\HTML\Fragment($in, array('disable_tidy' => true));
$doc->filter(array('p' => array(), 'em' => array()));
$this->assertEquals('<p>I <em>was</em> right there!</p>', $doc->toString());
}
public function testPrunedAllReturnOfFragmentIsEmptyString()
{
$doc = new Wibble\HTML\Fragment('<script>foo</script>');
$doc->filter('prune');
$this->assertEquals('', $doc->toString());
}
public function testUTF7Vulnerability()
{
$input = iconv('UTF-8', 'UTF-7', '<script>alert("xss");</script>');
$doc = new Wibble\HTML\Fragment($input);
$doc->filter();
$this->assertEquals('+ADw-script+AD4-alert(+ACI-xss+ACI)+ADsAPA-/script+AD4-', $doc->toString());
}
/**
* Personally I'd prefer this didn't happen, but DOM has its own ideas and
* DOM isn't messed around by hanging quotes. Nonetheless, merging such
* output with non-filtered HTML would raise the risk of quote escaping a bit.
*/
public function testEncodingHandlingTranslatesQuoteEquivelantsToRealQuotes()
{
$markup = iconv('UTF-8', 'ISO-8859-15', '<p>\'""'</p>');
$expected = '\'""\'';
$fragment = new Wibble\HTML\Fragment($markup, array('input_encoding' => 'ISO-8859-15', 'output_encoding' => 'UTF-8'));
$fragment->filter();
$this->assertEquals($expected, $fragment->toString());
}
public function testBrokenTagShouldGreedilyStripAllPotentialTagUntilNextValidTag()
{
$fragment = new Wibble\HTML\Fragment('This is <strongSparta!</strong><em>Sparta!!!</em>');
$fragment->filter(array('strong' => array(), 'em' => array()));
$this->assertEquals('This is <em>Sparta!!!</em>', $fragment->toString());
}
protected function sanitizeHTMLWithoutTidy($string)
{
$fragment = new Wibble\HTML\Fragment($string, array('disable_tidy' => true));
$fragment->filter('escape');
return $fragment->toString();
}