Skip navigation


7 filter.test FilterUnitTestCase::testHtmlFilter()

Test filter settings, defaults, access restrictions and similar.

@todo This is for functions like filter_filter and check_markup, whose functionality is not completely focused on filtering. Some ideas: restricting formats according to user permissions, proper cache handling, defaults -- allowed tags/attributes/protocols.

@todo It is possible to add script, iframe etc. to allowed tags, but this makes HTML filter completely ineffective.

@todo Class, id, name and xmlns should be added to disallowed attributes, or better a whitelist approach should be used for that too.


drupal/modules/filter/filter.test, line 1064
Tests for filter.module.


function testHtmlFilter() {
  // Setup dummy filter object.
  $filter = new stdClass();
  $filter->settings = array(
    'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>', 
    'filter_html_help' => 1, 
    'filter_html_nofollow' => 0,

  // HTML filter is not able to secure some tags, these should never be
  // allowed.
  $f = _filter_html('<script />', $filter);
  $this->assertNoNormalized($f, 'script', t('HTML filter should always remove script tags.'));

  $f = _filter_html('<iframe />', $filter);
  $this->assertNoNormalized($f, 'iframe', t('HTML filter should always remove iframe tags.'));

  $f = _filter_html('<object />', $filter);
  $this->assertNoNormalized($f, 'object', t('HTML filter should always remove object tags.'));

  $f = _filter_html('<style />', $filter);
  $this->assertNoNormalized($f, 'style', t('HTML filter should always remove style tags.'));

  // Some tags make CSRF attacks easier, let the user take the risk herself.
  $f = _filter_html('<img />', $filter);
  $this->assertNoNormalized($f, 'img', t('HTML filter should remove img tags on default.'));

  $f = _filter_html('<input />', $filter);
  $this->assertNoNormalized($f, 'img', t('HTML filter should remove input tags on default.'));

  // Filtering content of some attributes is infeasible, these shouldn't be
  // allowed too.
  $f = _filter_html('<p style="display: none;" />', $filter);
  $this->assertNoNormalized($f, 'style', t('HTML filter should remove style attribute on default.'));

  $f = _filter_html('<p onerror="alert(0);" />', $filter);
  $this->assertNoNormalized($f, 'onerror', t('HTML filter should remove on* attributes on default.'));

  $f = _filter_html('<code onerror>&nbsp;</code>', $filter);
  $this->assertNoNormalized($f, 'onerror', t('HTML filter should remove empty on* attributes on default.'));