Skip to content

Commit

Permalink
Merge pull request #4431 from ampproject/fix/ld-json-validation
Browse files Browse the repository at this point in the history 
Restrict JSON validation to non-LD scripts
  • Loading branch information
@westonruter
westonruter authored Mar 24, 2020
2 parents 7b760fb + 7b82404 commit 3f6e89e
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 13 deletions.
2 changes: 1 addition & 1 deletion includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -936,7 +936,7 @@ private function validate_cdata_for_node( DOMElement $element, $cdata_spec ) {
}

// When the CDATA is expected to be JSON, ensure it's valid JSON.
if ( 'script' === $element->nodeName && in_array( $element->getAttribute( 'type' ), [ 'application/json', 'application/ld+json' ], true ) ) {
if ( 'script' === $element->nodeName && 'application/json' === $element->getAttribute( 'type' ) ) {
if ( '' === trim( $element->textContent ) ) {
return [ 'code' => self::JSON_ERROR_EMPTY ];
}
Expand Down
30 changes: 18 additions & 12 deletions tests/php/test-tag-and-attribute-sanitizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2893,29 +2893,35 @@ public function get_html_data() {
[ AMP_Tag_And_Attribute_Sanitizer::INVALID_CDATA_HTML_COMMENTS ],
],
'cdata_malformed_json' => [
'<html><head><meta charset="utf-8"><script type="application/ld+json">{"example": </script></head><body></body></html>',
'<html><head><meta charset="utf-8"></head><body></body></html>',
[],
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"><script type="application/json">{"example": </script></amp-ima-video></body></html>',
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"></amp-ima-video></body></html>',
[ 'amp-ima-video' ],
[ AMP_Tag_And_Attribute_Sanitizer::JSON_ERROR_SYNTAX ],
],
'cdata_malformed_json_with_emojis' => [
'<html><head><meta charset="utf-8"><script type="application/ld+json">{"wrong": "' . wp_staticize_emoji( '🚧 🚧' ) . '"}</script></head><body></body></html>',
'<html><head><meta charset="utf-8"></head><body></body></html>',
[],
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"><script type="application/json">{"wrong": "' . wp_staticize_emoji( '🚧 🚧' ) . '"}</script></amp-ima-video></body></html>',
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"></amp-ima-video></body></html>',
[ 'amp-ima-video' ],
[ AMP_Tag_And_Attribute_Sanitizer::JSON_ERROR_SYNTAX ],
],
'cdata_malformed_utf8_json' => [
sprintf( '<html><head><meta charset="utf-8"><script type="application/ld+json">{"wrong": "%s"}</script></head><body></body></html>', "\xFF" ),
'<html><head><meta charset="utf-8"></head><body></body></html>',
[],
sprintf( '<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"><script type="application/json">{"wrong": "%s"}</script></amp-ima-video></body></html>', "\xFF" ),
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"></amp-ima-video></body></html>',
[ 'amp-ima-video' ],
[ AMP_Tag_And_Attribute_Sanitizer::JSON_ERROR_UTF8 ],
],
'cdata_empty_json_considered_invalid' => [
'<html><head><meta charset="utf-8"><script type="application/ld+json"></script></head><body></body></html>',
'<html><head><meta charset="utf-8"></head><body></body></html>',
[],
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"><script type="application/json"></script></amp-ima-video></body></html>',
'<html><head><meta charset="utf-8"></head><body><amp-ima-video width="640" height="360" layout="responsive" data-tag="ads.xml"></amp-ima-video></body></html>',
[ 'amp-ima-video' ],
[ AMP_Tag_And_Attribute_Sanitizer::JSON_ERROR_EMPTY ],
],
'cdata_empty_json_not_considered_invalid' => [
'<html><head><meta charset="utf-8"><script type="application/ld+json" id="__gaOptOutExtension"></script></head><body></body></html>',
null,
[],
[],
],
'analytics_empty_json_considered_invalid' => [
'<html><head><meta charset="utf-8"></head><body><amp-analytics><script type="application/json"> </script></amp-analytics></body></html>',
'<html><head><meta charset="utf-8"></head><body><amp-analytics></amp-analytics></body></html>',
Expand Down

0 comments on commit 3f6e89e

Please sign in to comment.