Changeset 6379 for trunk/tests/phpunit/testcases/topics/template/topic.php

Timestamp:

03/17/2017 02:51:45 PM (7 years ago)

Author:

johnjamesjacoby

Message:

Tests: Add XSS tests for topic titles.

These are in addition to post-title tests already present in WordPress core, for cases where theme-side, user-generated content is more likely to be targeted by less-trustworthy users than Editors or Administrators.

File:

• trunk/tests/phpunit/testcases/topics/template/topic.php (modified) (1 diff)

trunk/tests/phpunit/testcases/topics/template/topic.php

@@ -92 +92 @@
 
     /**
+     * @covers ::bbp_topic_title
+     * @covers ::bbp_get_topic_title
+     * @group  bbp_xss
+     */
+    public function test_bbp_get_topic_title_with_script_and_quotes() {
+        $f = $this->factory->forum->create();
+        $t = $this->factory->topic->create( array(
+            'post_title'  => '<script src="https://bbpress.org">Script</script> Topic',
+            'post_parent' => $f,
+            'topic_meta'  => array(
+                'forum_id' => $f,
+            ),
+        ) );
+
+        $topic_title = bbp_get_topic_title( $t );
+        $this->assertSame( 'Script Topic', $topic_title );
+    }
+
+    /**
+     * @covers ::bbp_topic_title
+     * @covers ::bbp_get_topic_title
+     * @group  bbp_xss
+     */
+    public function test_bbp_get_topic_title_with_script_no_quotes() {
+        $f = $this->factory->forum->create();
+        $t = $this->factory->topic->create( array(
+            'post_title'  => '<script src=https://bbpress.org>Script</script> Topic',
+            'post_parent' => $f,
+            'topic_meta'  => array(
+                'forum_id' => $f,
+            ),
+        ) );
+
+        $topic_title = bbp_get_topic_title( $t );
+        $this->assertSame( 'Script Topic', $topic_title );
+    }
+
+    /**
+     * @covers ::bbp_topic_title
+     * @covers ::bbp_get_topic_title
+     * @group  bbp_xss
+     */
+    public function test_bbp_get_topic_title_with_quotes() {
+        $f = $this->factory->forum->create();
+        $t = $this->factory->topic->create( array(
+            'post_title'  => '"Quoted" Topic',
+            'post_parent' => $f,
+            'topic_meta'  => array(
+                'forum_id' => $f,
+            ),
+        ) );
+
+        $topic_title = bbp_get_topic_title( $t );
+        $this->assertSame( '&#8220;Quoted&#8221; Topic', $topic_title );
+    }
+
+    /**
+     * @covers ::bbp_topic_title
+     * @covers ::bbp_get_topic_title
+     * @group  bbp_xss
+     */
+    public function test_bbp_get_topic_title_with_js_as_img_src() {
+        $f = $this->factory->forum->create();
+        $t = $this->factory->topic->create( array(
+            'post_title'  => '<img src="javascript:alert(\'Oh, bother!\');">Topic 1',
+            'post_parent' => $f,
+            'topic_meta'  => array(
+                'forum_id' => $f,
+            ),
+        ) );
+
+        $topic_title = bbp_get_topic_title( $t );
+        $this->assertSame( 'Topic 1', $topic_title );
+    }
+
+    /**
+     * @covers ::bbp_topic_title
+     * @covers ::bbp_get_topic_title
+     * @group  bbp_xss
+     */
+    public function test_bbp_get_topic_title_with_extra_open_brackets() {
+        $f = $this->factory->forum->create();
+        $t = $this->factory->topic->create( array(
+            'post_title'  => '<<script>alert("XSS");//<</script>',
+            'post_parent' => $f,
+            'topic_meta'  => array(
+                'forum_id' => $f,
+            ),
+        ) );
+
+        $topic_title = bbp_get_topic_title( $t );
+        $this->assertSame( '&lt;alert(&#8220;XSS&#8221;);//&lt;', $topic_title );
+    }
+
+    /**
      * @covers ::bbp_topic_archive_title
      * @covers ::bbp_get_topic_archive_title