summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAngie Byron2009-11-08 13:58:03 +0000
committerAngie Byron2009-11-08 13:58:03 +0000
commit07151b0c822bd1ccfbf80c1005d2288e49ba7513 (patch)
tree7f308e9c50a4eee2d659979374d0e6d2d0e377f5
parent3e8344b5c4bc3e793f822c215cdb9c4b1c2c7db4 (diff)
#523058 by catch, pwolanin, sun, and smk-ka, and jrchamp: Optimize check_plain().7.0-unstable-10
-rw-r--r--includes/bootstrap.inc29
-rw-r--r--modules/simpletest/tests/common.test36
2 files changed, 63 insertions, 2 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 82699eb..9b91430 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1163,11 +1163,36 @@ function drupal_unpack($obj, $field = 'data') {
/**
* Encode special characters in a plain-text string for display as HTML.
*
- * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Also validates strings as UTF-8 to prevent cross site scripting attacks on
* Internet Explorer 6.
+ *
+ * @param $text
+ * The text to be checked or processed.
+ * @return
+ * An HTML safe version of $text, or an empty string if $text is not
+ * valid UTF-8.
+ * @see drupal_validate_utf8().
*/
function check_plain($text) {
- return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+ // We do not want to use drupal_static() since PHP version will never change
+ // during a request.
+ static $php525;
+
+ if (!isset($php525)) {
+ $php525 = version_compare(PHP_VERSION, '5.2.5', '>=');
+ }
+ // We duplicate the preg_match() to validate strings as UTF-8 from
+ // drupal_validate_utf8() here. This avoids the overhead of an additional
+ // function call, since check_plain() may be called hundreds of times during
+ // a request. For PHP 5.2.5+, this check for valid UTF-8 should be handled
+ // internally by PHP in htmlspecialchars().
+ // @see http://www.php.net/releases/5_2_5.php
+ // @todo remove this when support for either IE6 or PHP < 5.2.5 is dropped.
+
+ if ($php525) {
+ return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
+ }
+ return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES, 'UTF-8') : '';
}
/**
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index d8bb13c..f1bd54a 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -311,6 +311,42 @@ class CommonURLUnitTest extends DrupalUnitTestCase {
}
}
+/**
+ * Tests for the check_plain() and filter_xss() functions.
+ */
+class CommonXssUnitTest extends DrupalUnitTestCase {
+
+ public static function getInfo() {
+ return array(
+ 'name' => 'String filtering tests',
+ 'description' => 'Confirm that check_plain() and filter_xss() work correctly, including invalid multi-byte sequences.',
+ 'group' => 'System',
+ );
+ }
+
+ /**
+ * Check that invalid multi-byte sequences are rejected.
+ */
+ function testInvalidMultiByte() {
+ $text = check_plain("Foo\xC0barbaz");
+ $this->assertEqual($text, '', 'check_plain() rejects invalid sequence "Foo\xC0barbaz"');
+ $text = check_plain("Fooÿñ");
+ $this->assertEqual($text, "Fooÿñ", 'check_plain() accepts valid sequence "Fooÿñ"');
+ $text = filter_xss("Foo\xC0barbaz");
+ $this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\xC0barbaz"');
+ $text = filter_xss("Fooÿñ");
+ $this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
+ }
+
+ /**
+ * Check that special characters are escaped.
+ */
+ function testEscaping() {
+ $text = check_plain("<script>");
+ $this->assertEqual($text, '&lt;script&gt;', 'check_plain() escapes &lt;script&gt;');
+ }
+}
+
class CommonSizeTestCase extends DrupalUnitTestCase {
protected $exact_test_cases;
protected $rounded_test_cases;