C. Scott Ananian has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/396059 )
Change subject: Tweak Sanitizer test to pass in PHP; also add new test for
T182338
......................................................................
Tweak Sanitizer test to pass in PHP; also add new test for T182338
Change-Id: Id5c899dd24004ed205807547db6ded26bee2df46
---
M tests/parserTests-blacklist.js
M tests/parserTests.txt
2 files changed, 30 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/services/parsoid
refs/changes/59/396059/1
diff --git a/tests/parserTests-blacklist.js b/tests/parserTests-blacklist.js
index d9f5409..751e385 100644
--- a/tests/parserTests-blacklist.js
+++ b/tests/parserTests-blacklist.js
@@ -151,6 +151,7 @@
add("wt2html", "CSS line continuation 2", "<div style=\"/* insecure input */\"
data-parsoid='{\"stx\":\"html\",\"a\":{\"style\":\"/* insecure input
*/\"},\"sa\":{\"style\":\"background-image: u\\\\&#13;rl(test.jpg);
\"},\"dsr\":[0,59,53,6]}'></div>");
add("wt2html", "Sanitizer: Closing of closed but not open table tags", "Table
not started");
add("wt2html", "Sanitizer: Validating that <meta> and <link> work, but only
for Microdata", "<div itemscope=\"\"
data-parsoid='{\"stx\":\"html\",\"dsr\":[0,308,15,6]}'>\n\t<p
data-parsoid='{\"dsr\":[17,301,0,0]}'><meta itemprop=\"hello\"
content=\"world\">\n\t<meta http-equiv=\"refresh\"
content=\"5\">\n\t<meta itemprop=\"hello\" http-equiv=\"refresh\"
content=\"5\">\n\t<link itemprop=\"hello\" href=\"{{SERVER}}\">\n\t<link
rel=\"stylesheet\" href=\"{{SERVER}}\">\n\t<link rel=\"stylesheet\"
itemprop=\"hello\" href=\"{{SERVER}}\"></p>\n</div>");
+add("wt2html", "Sanitizer: angle brackets are invalid, even in interwiki links
(T182338)", "<p data-parsoid='{\"dsr\":[0,89,0,0]}'><a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo<Bar\";
title=\"meatball:Foo<Bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo<Bar\"},\"sa\":{\"href\":\"meatball:Foo<Bar\"},\"isIW\":true,\"dsr\":[0,20,2,2]}'>meatball:Foo<Bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo>Bar\" title=\"meatball:Foo>Bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo>Bar\"},\"sa\":{\"href\":\"meatball:Foo>Bar\"},\"isIW\":true,\"dsr\":[21,41,2,2]}'>meatball:Foo>Bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo<bar\";
title=\"meatball:Foo<bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo<bar\"},\"sa\":{\"href\":\"meatball:Foo&lt;bar\"},\"isIW\":true,\"dsr\":[42,65,2,2]}'>meatball:Foo<bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo>bar\" title=\"meatball:Foo>bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo>bar\"},\"sa\":{\"href\":\"meatball:Foo&gt;bar\"},\"isIW\":true,\"dsr\":[66,89,2,2]}'>meatball:Foo>bar</a></p>");
add("wt2html", "Language converter glossary rules inside attributes
(T119158)", "<p data-parsoid='{\"dsr\":[0,52,0,0]}'><meta
typeof=\"mw:LanguageVariant\"
data-mw-variant='{\"add\":true,\"oneway\":[{\"f\":\"foAjrjvi\",\"l\":\"sr-el\",\"t\":\"\\\"
onload=\\\"alert(1)\\\" data-foo=\\\"\"}]}'
data-parsoid='{\"fl\":[\"H\"],\"src\":\"-{H|foAjrjvi=>sr-el:\\\"
onload=\\\"alert(1)\\\"
data-foo=\\\"}-\",\"tSp\":[4],\"dsr\":[0,52,null,null]}'/></p>\n\n<p
data-parsoid='{\"dsr\":[54,94,0,0]}'><figure-inline class=\"mw-default-size\"
typeof=\"mw:Image\"
data-parsoid='{\"optList\":[{\"ck\":\"alt\",\"ak\":\"alt=-{}-foAjrjvi-{}-\"}],\"dsr\":[54,94,null,null]}'><a
href=\"./Датотека:Foobar.jpg\"
data-parsoid='{\"a\":{\"href\":\"./Датотека:Foobar.jpg\"},\"sa\":{\"href\":\"File:Foobar.jpg\"}}'><img
alt=\"foAjrjvi\" resource=\"./Датотека:Foobar.jpg\"
src=\"//example.com/images/3/3a/Foobar.jpg\" data-file-width=\"1941\"
data-file-height=\"220\" data-file-type=\"bitmap\" height=\"220\"
width=\"1941\"
data-parsoid='{\"a\":{\"alt\":\"foAjrjvi\",\"resource\":\"./Датотека:Foobar.jpg\",\"height\":\"220\",\"width\":\"1941\"},\"sa\":{\"alt\":\"alt=-{}-foAjrjvi-{}-\",\"resource\":\"File:Foobar.jpg\"}}'/></a></figure-inline></p>");
add("wt2html", "Inline HTML vs wiki block nesting", "<p
data-parsoid='{\"dsr\":[0,17,0,0]}'><b
data-parsoid='{\"stx\":\"html\",\"autoInsertedEnd\":true,\"dsr\":[0,17,3,0]}'>Bold
paragraph</b></p><b
data-parsoid='{\"stx\":\"html\",\"autoInsertedEnd\":true,\"autoInsertedStart\":true,\"dsr\":[17,37,0,0]}'>\n\n<p
data-parsoid='{\"dsr\":[19,37,0,0]}'>New wiki paragraph</p></b>");
add("wt2html", "Special page transclusion", "<p
data-parsoid='{\"dsr\":[0,30,0,0]}'><span about=\"#mwt2\" typeof=\"mw:Error
mw:Transclusion\" data-parsoid='{\"pi\":[[]],\"dsr\":[0,30,null,null]}'
data-mw='{\"parts\":[{\"template\":{\"target\":{\"wt\":\"Special:Prefixindex/Xyzzyx\",\"href\":\"./Special:PrefixIndex/Xyzzyx\"},\"params\":{},\"errors\":[{\"key\":\"mw-api-tplfetch-error\",\"message\":\"Page
/ template fetching disabled, and no cache for
Special:PrefixIndex/Xyzzyx\"}],\"i\":0}}]}'>{{Special:Prefixindex/Xyzzyx}}</span></p>");
@@ -417,6 +418,7 @@
add("html2html", "CSS line continuation 2", "<div style=\" \"
data-parsoid='{\"stx\":\"html\",\"a\":{\"style\":\" \"},\"sa\":{\"style\":\"/*
invalid control char */\"},\"dsr\":[0,46,40,6]}'></div>\n");
add("html2html", "Parser hook: nested tags", "<pre typeof=\"mw:Extension/tag\"
about=\"#mwt3\" data-parsoid='{\"dsr\":[0,16,2,2]}'
data-mw='{\"name\":\"tag\",\"attrs\":{},\"body\":{\"extsrc\":\"<tag>\"}}'></pre><span
typeof=\"mw:Nowiki\" data-parsoid='{\"dsr\":[16,39,8,9]}'></tag></span>");
add("html2html", "Sanitizer: Validating that <meta> and <link> work, but only
for Microdata", "<div itemscope=\"\"
data-parsoid='{\"stx\":\"html\",\"dsr\":[0,244,18,6]}'>\n\t<p
data-parsoid='{\"dsr\":[20,236,0,0]}'><meta itemprop=\"hello\"
content=\"world\" />\n\t<meta http-equiv=\"refresh\"
content=\"5\">\n\t<meta itemprop=\"hello\" content=\"5\" />\n\t<a
rel=\"mw:ExtLink\" href=\"http://example.org\";
data-parsoid='{\"targetOff\":162,\"contentOffsets\":[162,162],\"dsr\":[143,163,19,1]}'></a>\n\t<link
rel=\"stylesheet\" href=\"http://example.org\";>\n\t<a rel=\"mw:ExtLink\"
href=\"http://example.org\";
data-parsoid='{\"targetOff\":235,\"contentOffsets\":[235,235],\"dsr\":[216,236,19,1]}'></a></p>\n\n</div>\n");
+add("html2html", "Sanitizer: angle brackets are invalid, even in interwiki
links (T182338)", "<p data-parsoid='{\"dsr\":[0,83,0,0]}'><a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo<Bar\";
title=\"meatball:Foo<Bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo<Bar\"},\"sa\":{\"href\":\"meatball:Foo<Bar\"},\"isIW\":true,\"dsr\":[0,20,2,2]}'>meatball:Foo<Bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo>Bar\" title=\"meatball:Foo>Bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo>Bar\"},\"sa\":{\"href\":\"meatball:Foo>Bar\"},\"isIW\":true,\"dsr\":[21,41,2,2]}'>meatball:Foo>Bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo<bar\";
title=\"meatball:Foo<bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo<bar\"},\"sa\":{\"href\":\"meatball:Foo<bar\"},\"isIW\":true,\"dsr\":[42,62,2,2]}'>meatball:Foo<bar</a>\n<a
rel=\"mw:WikiLink/InterWiki\"
href=\"http://www.usemod.com/cgi-bin/mb.pl?Foo>bar\" title=\"meatball:Foo>bar\"
data-parsoid='{\"stx\":\"simple\",\"a\":{\"href\":\"http://www.usemod.com/cgi-bin/mb.pl?Foo>bar\"},\"sa\":{\"href\":\"meatball:Foo>bar\"},\"isIW\":true,\"dsr\":[63,83,2,2]}'>meatball:Foo>bar</a></p>\n");
add("html2html", "Language converter glossary rules inside attributes
(T119158)", "<p data-parsoid='{\"dsr\":[0,52,0,0]}'><meta
typeof=\"mw:LanguageVariant\"
data-mw-variant='{\"add\":true,\"oneway\":[{\"f\":\"foAjrjvi\",\"l\":\"sr-el\",\"t\":\"\\\"
onload=\\\"alert(1)\\\" data-foo=\\\"\"}]}'
data-parsoid='{\"fl\":[\"H\"],\"src\":\"-{H|foAjrjvi=>sr-el:\\\"
onload=\\\"alert(1)\\\"
data-foo=\\\"}-\",\"tSp\":[4],\"dsr\":[0,52,null,null]}'/></p>\n\n<p
data-parsoid='{\"dsr\":[54,94,0,0]}'><figure-inline class=\"mw-default-size\"
typeof=\"mw:Image\"
data-parsoid='{\"optList\":[{\"ck\":\"alt\",\"ak\":\"alt=-{}-foAjrjvi-{}-\"}],\"dsr\":[54,94,null,null]}'><a
href=\"./Датотека:Foobar.jpg\"
data-parsoid='{\"a\":{\"href\":\"./Датотека:Foobar.jpg\"},\"sa\":{\"href\":\"File:Foobar.jpg\"}}'><img
alt=\"foAjrjvi\" resource=\"./Датотека:Foobar.jpg\"
src=\"//example.com/images/3/3a/Foobar.jpg\" data-file-width=\"1941\"
data-file-height=\"220\" data-file-type=\"bitmap\" height=\"220\"
width=\"1941\"
data-parsoid='{\"a\":{\"alt\":\"foAjrjvi\",\"resource\":\"./Датотека:Foobar.jpg\",\"height\":\"220\",\"width\":\"1941\"},\"sa\":{\"alt\":\"alt=-{}-foAjrjvi-{}-\",\"resource\":\"File:Foobar.jpg\"}}'/></a></figure-inline></p>");
add("html2html", "HTML ordered list item with parameters oddity", "<ol
data-parsoid='{\"dsr\":[0,5,0,0]}'><li data-parsoid='{\"dsr\":[0,5,1,0]}'>
One</li></ol>\n");
add("html2html", "Special page transclusion", "<ul
data-parsoid='{\"dsr\":[0,24,0,0]}'><li data-parsoid='{\"dsr\":[0,24,1,0]}'> <a
rel=\"mw:WikiLink\" href=\"./Wiki/Xyzzyx\" title=\"Wiki/Xyzzyx\"
data-parsoid='{\"stx\":\"piped\",\"a\":{\"href\":\"./Wiki/Xyzzyx\"},\"sa\":{\"href\":\"wiki/Xyzzyx\"},\"dsr\":[2,24,14,2]}'>Xyzzyx</a></li></ul>\n");
@@ -866,6 +868,7 @@
add("html2wt", "Sanitizer: Closing of open tags", "<s></s>\n{|\n|}\n");
add("html2wt", "Sanitizer: Closing of open but not closed tags",
"<s>foo</s>\n");
add("html2wt", "Sanitizer: Validating that <meta> and <link> work, but only
for Microdata", "<div itemscope=\"\">\n\t<meta itemprop=\"hello\"
content=\"world\" />\n\t<meta http-equiv=\"refresh\" content=\"5\">\n\t<meta
itemprop=\"hello\" content=\"5\" />\n\t[http://example.org]\n\t<link
rel=\"stylesheet\"
href=\"http://example.org\";>\n\t[http://example.org]\n\n</div>\n");
+add("html2wt", "Sanitizer: angle brackets are invalid, even in interwiki links
(T182338)",
"[[meatball:Foo<Bar]]\n[[meatball:Foo>Bar]]\n[[meatball:Foo<bar]]\n[[meatball:Foo>bar]]\n");
add("html2wt", "Self closed html pairs (T7487)", "<center><font
id=\"bug\"></font>Centered text</center>\n<div><font id=\"bug2\"></font>In div
text</div>");
add("html2wt", "Punctuation: nbsp before exclamation", "C'est grave !\n");
add("html2wt", "HTML nested bullet list, open tags (T7497)", "* One\n*
Two:\n** Sub-one\n** Sub-two\n");
@@ -1587,6 +1590,7 @@
add("selser", "Sanitizer: Validating that <meta> and <link> work, but only for
Microdata [[2,4,0]]", "<div itemscope>1jopkvo\n\t94zkc5\n</div>");
add("selser", "Sanitizer: Validating that <meta> and <link> work, but only for
Microdata [[3,0,4]]", "<div itemscope>\n<meta itemprop=\"hello\"
content=\"world\">\n\t<meta http-equiv=\"refresh\" content=\"5\">\n\t<meta
itemprop=\"hello\" http-equiv=\"refresh\" content=\"5\">\n\t<link
itemprop=\"hello\" href=\"{{SERVER}}\">\n\t<link rel=\"stylesheet\"
href=\"{{SERVER}}\">\n\t<link rel=\"stylesheet\" itemprop=\"hello\"
href=\"{{SERVER}}\">\nl711yq</div>");
add("selser", "Sanitizer: Validating that <meta> and <link> work, but only for
Microdata [[0,2,0]]", "<div itemscope>\n\t1fetx3z\n<meta itemprop=\"hello\"
content=\"world\">\n\t<meta http-equiv=\"refresh\" content=\"5\">\n\t<meta
itemprop=\"hello\" http-equiv=\"refresh\" content=\"5\">\n\t<link
itemprop=\"hello\" href=\"{{SERVER}}\">\n\t<link rel=\"stylesheet\"
href=\"{{SERVER}}\">\n\t<link rel=\"stylesheet\" itemprop=\"hello\"
href=\"{{SERVER}}\">\n</div>");
+add("selser", "Sanitizer: angle brackets are invalid, even in interwiki links
(T182338) [[[3],0,3,0,1,3,1]]",
"[meatball:Foo<Bar]\n\nmeatball:Foo<barmeatball:Foo>bar");
add("selser", "HTML bullet list, closed tags (T7497) [[4,[3],3,0,3]]",
"<ul><li>j0tr6b</li><li></li>\n<li>Two</li></ul>");
add("selser", "HTML bullet list, closed tags (T7497) [[4,[2],3,0,0]]",
"<ul><li>1ll4gfg</li><li>wnpb5dOne</li>\n<li>Two</li>\n</ul>");
add("selser", "HTML nested ordered list, open tags (T7497) [[2,3,4,[2,1],3]]",
"<ol><li>1ph637d</li>\n<li>l97dbh</li><li>1lg6gmxTwo:\n<ol
data-foobar=\"1pegvwc\">\n<li>Sub-one\n<li>Sub-two\n</ol>\n</ol>");
diff --git a/tests/parserTests.txt b/tests/parserTests.txt
index 31fe41e..69dc17d 100644
--- a/tests/parserTests.txt
+++ b/tests/parserTests.txt
@@ -18680,9 +18680,33 @@
!! test
Sanitizer: Avoid unnecessary percent encoded characters in WikiLink/InterWiki
links
!! wikitext
-[[MeatBall:Soft<>"Security]]
+[[meatball:Soft"Security]]
+!! html/php
+<p><a href="http://www.usemod.com/cgi-bin/mb.pl?Soft%22Security"; class="extiw"
title="meatball:Soft"Security">meatball:Soft"Security</a>
+</p>
!! html/parsoid
-<p><a rel="mw:WikiLink/InterWiki"
href='http://www.usemod.com/cgi-bin/mb.pl?Soft<>"Security'
title='meatball:Soft<>"Security'
data-parsoid='{"stx":"simple","a":{"href":"http://www.usemod.com/cgi-bin/mb.pl?Soft<>\"Security"},"sa":{"href":"MeatBall:Soft<>\"Security"},"isIW":true}'>MeatBall:Soft<>"Security</a></p>
+<p><a rel="mw:WikiLink/InterWiki"
href='http://www.usemod.com/cgi-bin/mb.pl?Soft"Security'
title='meatball:Soft"Security'>meatball:Soft"Security</a></p>
+!! end
+
+!! test
+Sanitizer: angle brackets are invalid, even in interwiki links (T182338)
+!! wikitext
+[[meatball:Foo<Bar]]
+[[meatball:Foo>Bar]]
+[[meatball:Foo<bar]]
+[[meatball:Foo>bar]]
+!! html/php
+<p>[[meatball:Foo<Bar]]
+[[meatball:Foo>Bar]]
+[[meatball:Foo<bar]]
+[[meatball:Foo>bar]]
+</p>
+!! html/parsoid
+<p>[[meatball:Foo<Bar]]
+[[meatball:Foo>Bar]]
+[[meatball:Foo<bar]]
+[[meatball:Foo>bar]]
+</p>
!! end
!! test
--
To view, visit https://gerrit.wikimedia.org/r/396059
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id5c899dd24004ed205807547db6ded26bee2df46
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/services/parsoid
Gerrit-Branch: master
Gerrit-Owner: C. Scott Ananian <canan...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
