This is a test paragraph.';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('This is a test paragraph.
', $result);
}
public function test_sanitize_removes_script_tags(): void {
$input = 'Safe content
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringNotContainsString('';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
// SVG is not in allowed elements, so it should be removed
$this->assertStringNotContainsString('assertStringNotContainsString('alert', $result);
}
public function test_sanitize_preserves_entities(): void {
$input = '<script>alert("test")</script>
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('<', $result);
$this->assertStringContainsString('>', $result);
// " gets converted to regular quotes by DOMDocument
$this->assertStringContainsString('alert', $result);
}
public function test_sanitize_unicode_characters(): void {
$input = 'Hello 世界 🌍
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
// Unicode characters are converted to HTML entities by DOMDocument
$this->assertStringContainsString('Hello', $result);
// Check that the content is preserved (either as unicode or entities)
$this->assertMatchesRegularExpression('/世界|&#\d+;/', $result);
}
public function test_sanitize_long_content(): void {
$input = '' . str_repeat('Lorem ipsum dolor sit amet. ', 1000) . '
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertGreaterThan(1000, strlen($result));
}
public function test_sanitize_deeply_nested_structure(): void {
$input = '';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('Deep content', $result);
}
public function test_sanitize_malformed_html(): void {
$input = 'Unclosed paragraph
Mixed tags
';
$result = Sanitizer::sanitize($input);
// Should not return false, even with malformed HTML
$this->assertNotFalse($result);
$this->assertStringContainsString('Unclosed paragraph', $result);
$this->assertStringContainsString('Mixed tags', $result);
}
public function test_sanitize_picture_element_with_srcset(): void {
$input = '', $result);
$this->assertStringContainsString('https://example.com/image-large.jpg', $result);
$this->assertStringContainsString('https://example.com/image-small.jpg', $result);
}
public function test_sanitize_with_protocol_relative_url(): void {
$input = 'Link ';
$site_url = 'https://example.com';
$result = Sanitizer::sanitize($input, false, null, $site_url);
$this->assertNotFalse($result);
$this->assertStringContainsString('href=', $result);
}
public function test_sanitize_abbreviation_and_acronym(): void {
$input = 'HTML and CSS
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('assertStringContainsString('title=', $result);
}
public function test_sanitize_details_and_summary(): void {
$input = 'Click to expand Hidden content
', $result);
$this->assertStringContainsString('', $result);
$this->assertStringContainsString('Click to expand', $result);
$this->assertStringContainsString('Hidden content', $result);
}
public function test_sanitize_kbd_and_samp(): void {
$input = 'Press Ctrl+C to see output
';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('', $result);
$this->assertStringContainsString('', $result);
}
public function test_sanitize_ruby_annotation(): void {
$input = '漢( kan ) ';
$result = Sanitizer::sanitize($input);
$this->assertNotFalse($result);
$this->assertStringContainsString('', $result);
$this->assertStringContainsString('', $result);
$this->assertStringContainsString('', $result);
}
public function test_sanitize_blocks_localhost_in_img_src(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringNotContainsString('assertStringContainsString('<img', $result);
$this->assertStringContainsString('127.0.0.1:8080', $result);
}
public function test_sanitize_allows_non_standard_port_on_external_host_in_img_src(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://example.org:8080/image.jpg', $result);
}
public function test_sanitize_allows_private_ip_on_standard_http_port(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://192.168.1.100/image.jpg', $result);
}
public function test_sanitize_allows_private_ip_on_standard_https_port(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('https://10.0.0.5/image.jpg', $result);
}
public function test_sanitize_blocks_private_ip_on_non_standard_port(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringNotContainsString('assertStringContainsString('<img', $result);
$this->assertStringContainsString('http://192.168.1.1:8080/image.jpg', $result);
}
public function test_sanitize_blocks_link_local_on_standard_port(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringNotContainsString('assertStringContainsString('<img', $result);
$this->assertStringContainsString('http://169.254.169.254/latest/meta-data/', $result);
}
public function test_sanitize_allows_standard_port_in_img_src(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://example.org/image.jpg', $result);
}
public function test_sanitize_allows_https_standard_port_in_img_src(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('https://example.org/image.jpg', $result);
}
public function test_sanitize_preserves_data_uri_in_img_src(): void {
$input = 'Test
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('data:image/png;base64', $result);
}
public function test_sanitize_preserves_href_with_non_standard_port(): void {
$input = 'Test link here
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://example.org:8080/article', $result);
$this->assertStringContainsString('link', $result);
}
public function test_sanitize_preserves_href_with_localhost(): void {
$input = 'Test link here
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.com');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://localhost:3000/dev', $result);
$this->assertStringContainsString('link', $result);
}
public function test_sanitize_allows_non_standard_port_on_external_host_in_video_poster(): void {
$input = 'assertStringContainsString('poster="http://example.org:8080/poster.jpg"', $result);
}
public function test_sanitize_allows_standard_port_in_video_poster(): void {
$input = 'assertStringContainsString('poster="https://example.org/poster.jpg"', $result);
}
public function test_sanitize_removes_localhost_poster_attribute(): void {
$input = 'assertStringNotContainsString('poster=', $result);
$this->assertStringContainsString('assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('poster="http://192.168.1.50/poster.jpg"', $result);
}
public function test_sanitize_removes_private_ip_poster_on_non_standard_port(): void {
$input = 'assertStringNotContainsString('poster=', $result);
$this->assertStringContainsString('assertNotFalse($result);
$this->assertStringContainsString('assertStringNotContainsString('srcset=', $result);
}
public function test_sanitize_filters_invalid_urls_from_srcset(): void {
$input = 'assertStringContainsString('srcset=', $result);
$this->assertStringContainsString('https://example.org/img1.jpg', $result);
$this->assertStringNotContainsString('localhost:8080', $result);
}
public function test_sanitize_relative_url_with_base_url_port_preserved_in_href(): void {
$input = 'Read more
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.org:8080/feed/');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://example.org:8080/feed/article.html', $result);
}
public function test_sanitize_relative_url_with_base_url_non_standard_port_allowed_in_img(): void {
$input = '
';
$result = Sanitizer::sanitize($input, false, false, 'http://example.org:8080/feed/');
$this->assertNotFalse($result);
$this->assertStringContainsString('assertStringContainsString('http://example.org:8080/feed/image.jpg', $result);
}
public function test_sanitize_img_with_valid_srcset_but_invalid_src(): void {
$input = 'assertStringNotContainsString('127.0.0.1', $result);
// Valid srcset should be preserved
$this->assertStringContainsString('srcset=', $result);
$this->assertStringContainsString('https://example.org/img1.jpg', $result);
$this->assertStringContainsString('https://example.org/img2.jpg', $result);
}
public function test_sanitize_img_with_only_srcset_no_src(): void {
$input = 'assertStringContainsString('srcset=', $result);
$this->assertStringContainsString('https://example.org/img1.jpg', $result);
$this->assertStringContainsString('https://example.org/img2.jpg', $result);
}
public function test_sanitize_img_with_invalid_src_and_invalid_srcset(): void {
$input = 'assertStringContainsString('<img', $result);
$this->assertStringContainsString('127.0.0.1:8080', $result);
}
public function test_sanitize_img_with_invalid_src_and_no_srcset(): void {
$input = 'assertStringContainsString('<img', $result);
$this->assertStringContainsString('127.0.0.1:8080', $result);
}
public function test_sanitize_source_with_valid_srcset_but_invalid_src(): void {
$input = 'assertStringNotContainsString('localhost:8080', $result);
// Valid srcset should be preserved
$this->assertStringContainsString('srcset=', $result);
$this->assertStringContainsString('https://example.org/img1.jpg', $result);
$this->assertStringContainsString('https://example.org/img2.jpg', $result);
}
public function test_sanitize_source_with_only_srcset_no_src(): void {
$input = 'assertStringContainsString('srcset=', $result);
$this->assertStringContainsString('https://example.org/img1.jpg', $result);
$this->assertStringContainsString('https://example.org/img2.jpg', $result);
}
public function test_sanitize_source_with_invalid_src_and_invalid_srcset(): void {
$input = 'assertStringContainsString('<source', $result);
$this->assertStringContainsString('127.0.0.1:8080', $result);
}
public function test_sanitize_srcset_with_mixed_valid_and_invalid_urls(): void {
$input = 'assertStringContainsString('srcset=', $result);
// Valid URLs should be preserved
$this->assertStringContainsString('https://example.org/good1.jpg', $result);
$this->assertStringContainsString('https://example.org/good2.jpg', $result);
// Invalid URL should be removed
$this->assertStringNotContainsString('localhost:8080', $result);
}
public function test_sanitize_img_with_valid_src_and_partially_valid_srcset(): void {
$input = 'assertStringContainsString('src="https://example.org/main.jpg"', $result);
// Valid srcset URL should be preserved
$this->assertStringContainsString('https://example.org/good.jpg', $result);
// Invalid srcset URL should be removed
$this->assertStringNotContainsString('127.0.0.1', $result);
}
}
