Leave Alone

Strip parentBut keep children in order
', '

Leave Alone

Strip parentBut keep children in order', 'Non-whitelisted elements are stripped, but children are kept' ], [ 'p,strong', '
A B
Nested elements are still filtered
C
D
', 'A B Nested elements are still filtered C D', 'Non-whitelisted elements are stripped even when children of non-whitelisted elements' ], [ 'p', '

Keep

', '

Keep

', 'Non-whitelisted script elements are totally stripped, including any children' ], [ 'p[id]', '

Test

', '

Test

', 'Non-whitelisted attributes are stripped' ], [ 'p[default1=default1|default2=default2|force1:force1|force2:force2]', '

Test

', '

Test

', 'Default attributes are set when not present in input, forced attributes are always set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is added when target attribute is set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is added when target is _top instead of _blank' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is removed when target is not set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is removed when link_rel_value is an empty string' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is unchanged when link_rel_value is null' ], [ 'a[href|target|rel]', 'Test', 'Test', 'Javascript in the href attribute of a link is completely removed' ], [ 'a[href|target|rel]', 'Test', 'Test', 'Javascript in the href attribute of a link is completely removed even for multiline markup' ], [ 'map[name],area[href|shape|coords]', '', '', 'Javascript in the href attribute of a map\'s clickable area is completely removed' ], [ 'iframe[src]', '', '', 'Javascript in the src attribute of an iframe is completely removed' ], [ 'iframe[src]', '', '', 'Mixed case javascript in the src attribute of an iframe is completely removed' ], [ 'iframe[src]', "", '', 'Javascript with tab elements the src attribute of an iframe is completely removed' ], [ 'object[data]', '', '', 'Object with OK content in the data attribute is retained' ], [ 'object[data]', '', '', 'Object with dangerous javascript content in data attribute is completely removed' ], [ 'object[data]', '', '', 'Object with dangerous javascript content in data attribute with quotes is completely removed' ], [ 'object[data]', '', '', 'Object with dangerous html content in data attribute is completely removed' ], [ 'object[data]', '', '', 'XSS vulnerable attributes starting with on or style are removed via configuration' ], ]; } /** * @dataProvider provideSanitise */ public function testSanitisation(string $validElements, string $input, string $output, string $desc): void { foreach (['valid_elements', 'extended_valid_elements'] as $configType) { $config = HTMLEditorConfig::get('htmleditorsanitisertest_' . $configType); $config->setOptions([$configType => $validElements]); // Remove default valid elements if we're testing extended valid elements if ($configType !== 'valid_elements') { $config->setOptions(['valid_elements' => '']); } $sanitiser = new HtmlEditorSanitiser($config); $value = 'noopener noreferrer'; if (strpos($desc ?? '', 'link_rel_value is an empty string') !== false) { $value = ''; } elseif (strpos($desc ?? '', 'link_rel_value is null') !== false) { $value = null; } HTMLEditorSanitiser::config()->set('link_rel_value', $value); $htmlValue = HTMLValue::create($input); $sanitiser->sanitise($htmlValue); $this->assertEquals($output, $htmlValue->getContent(), "{$desc} - using config type: {$configType}"); } } /** * Ensure that when there are no valid elements at all for a configuration set, * nothing is allowed. */ public function testSanitiseNoValidElements(): void { $config = HTMLEditorConfig::get('htmleditorsanitisertest'); $config->setOptions(['valid_elements' => '']); $config->setOptions(['extended_valid_elements' => '']); $sanitiser = new HtmlEditorSanitiser($config); $htmlValue = HTMLValue::create('

standard text

text
Header
'); $sanitiser->sanitise($htmlValue); $this->assertEquals('standard texttextHeader', $htmlValue->getContent()); } }