Leave Alone

Strip parentBut keep children in order
', '

Leave Alone

Strip parentBut keep children in order', 'Non-whitelisted elements are stripped, but children are kept' ], [ 'p,strong', '
A B
Nested elements are still filtered
C
D
', 'A B Nested elements are still filtered C D', 'Non-whitelisted elements are stripped even when children of non-whitelisted elements' ], [ 'p', '

Keep

', '

Keep

', 'Non-whitelisted script elements are totally stripped, including any children' ], [ 'p[id]', '

Test

', '

Test

', 'Non-whitelisted attributes are stripped' ], [ 'p[default1=default1|default2=default2|force1:force1|force2:force2]', '

Test

', '

Test

', 'Default attributes are set when not present in input, forced attributes are always set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is added when target attribute is set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is added when target is _top instead of _blank' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is removed when target is not set' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is removed when link_rel_value is an empty string' ], [ 'a[href|target|rel]', 'Test', 'Test', 'noopener rel attribute is unchanged when link_rel_value is null' ], [ 'a[href|target|rel]', 'Test', 'Test', 'Javascript in the href attribute of a link is completely removed' ], [ 'a[href|target|rel]', 'Test', 'Test', 'Javascript in the href attribute of a link is completely removed even for multiline markup' ], [ 'map[name],area[href|shape|coords]', '', '', 'Javascript in the href attribute of a map\'s clickable area is completely removed' ], [ 'iframe[src]', '', '', 'Javascript in the src attribute of an iframe is completely removed' ], [ 'iframe[src]', '', '', 'Mixed case javascript in the src attribute of an iframe is completely removed' ], [ 'iframe[src]', "", '', 'Javascript with tab elements the src attribute of an iframe is completely removed' ], [ 'object[data]', '', '', 'Object with OK content in the data attribute is retained' ], [ 'object[data]', '', '', 'Object with dangerous javascript content in data attribute is completely removed' ], [ 'object[data]', '', '', 'Object with dangerous javascript content in data attribute with quotes is completely removed' ], [ 'object[data]', '', '', 'Object with dangerous html content in data attribute is completely removed' ], [ 'object[data]', '', '', 'XSS vulnerable attributes starting with on or style are removed via configuration' ], ]; $config = HTMLEditorConfig::get('htmleditorsanitisertest'); foreach ($tests as $test) { list($validElements, $input, $output, $desc) = $test; $config->setOptions(['valid_elements' => $validElements]); $sanitiser = new HtmlEditorSanitiser($config); $value = 'noopener noreferrer'; if (strpos($desc ?? '', 'link_rel_value is an empty string') !== false) { $value = ''; } elseif (strpos($desc ?? '', 'link_rel_value is null') !== false) { $value = null; } Config::inst()->set(HTMLEditorSanitiser::class, 'link_rel_value', $value); $htmlValue = HTMLValue::create($input); $sanitiser->sanitise($htmlValue); $this->assertEquals($output, $htmlValue->getContent(), $desc); } } }