from the attribute, I would rather expect it to
// remove the style attribute ( is well-formed XML as far as I can tell), however this is not dangerous.
$filtered = filter_xss('', array('p'));
$this->assertNoNormalized($filtered, 'style', t('HTML filter attributes removal evasion -- filter not distinguishing quotes.'));
$filtered = filter_xss('', array('p'));
$this->assertEqual($filtered, '', t('HTML filter -- filter does not break markup.'));
$filtered = filter_xss('&#D;', array('p'));
$this->assertEqual($filtered, '&#D;', t('HTML filter -- filter recognizes numerical entities.'));
// TODO: I have huge doubts about allowing some HTML attributes.
$filtered = filter_filter('process', 0, 'no_such_format', ''); // At least What You See Is Not What You Copy tricks.
$this->assertEqual($filtered, 'class', t('HTML filter should remove class attribute on default.'));
$filtered = filter_filter('process', 0, 'no_such_format', ''); // This becomes the default namespace in em's scope. TODO: Not sure if this can be made to really work though.
$this->assertNoNormalized($filtered, 'xmlns', t('HTML filter should remove xmlns attribute on default.'));
// TODO: Running HTML filter with allowed script, iframe, style, frame, object, embed, applet, layer etc. doesn't make sense.
// TODO: There is no assertException or something like that?
$filtered = filter_xss('', array('script'));
$this->assertNull($filtered, t('HTML filter -- filter refuses to run when it can\'t guarantee XSS safety.'));
// TODO: A little inconsistency with removing attributes, if one gives the attribute as the last one and does not provide value it won't skip it.
// This is most probably not exploitable, but is unexpected. Issue #327331.
$filtered = filter_xss('', array('p'));
$this->assertNoNormalized($filtered, 'style', t('HTML filter -- valueless, forbidden attribute given as the last one.'));
// TODO: Linebreaking filter does not skip comments.
$filtered = _filter_autop("");
$this->assertEqual($filtered, "", t('Line breaking -- do not change comments.'));
// TODO: URL filter should skip comments.
$filtered = _filter_url('', 'f');
$this->assertEqual($filtered, '', t('Converting URLs -- do not change comments.'));
// TODO: URL filter doesn't recognize URLs with square brackets (issue #190466).
$filtered = _filter_url('http://www.example.com/index.php?a[]=1', 'f');
$this->assertEqual($filtered, 'http://www.example.com/index.php?a[]=1', t('Converting URLs -- addresses with square brackets.'));
// TODO: URL filter should recognize domain names in more contexts (issue #161217 again).
$filtered = _filter_url('www.example.com', 'f'); // Do we or don't we want this to be recognized?
$this->assertEqual($filtered, 'http://www.example.com', t('Converting URLs -- domain name within unknown tag.'));
$filtered = _filter_url('www.example.com', 'f');
$this->assertEqual($filtered, 'http://www.example.com', t('Converting URLs -- domain name within strong tag.'));
$filtered = _filter_url('- www.example.com
', 'f');
$this->assertEqual($filtered, 'http://www.example.com', t('Converting URLs -- domain names in definition list titles.'));
$filtered = _filter_url('- www.example.com
', 'f');
$this->assertEqual($filtered, '- http://www.example.com
', t('Converting URLs -- domain names in a definition list.'));
$filtered = _filter_url('http://www.example.com
', 'f'); // Not so sure if it should or it shouldn't convert these.
$this->assertEqual($filtered, 'http://www.example.com
', t('Converting URLs -- blockquote handling.'));
// TODO: URL filter doesn't recognize certain e-mail addresses.
// See: http://tools.ietf.org/html/rfc5322#section-3.2.3 and http://tools.ietf.org/html/rfc5321#section-4.1.3 .
$filtered = _filter_url('"\"\\()[]\;:,<>@ "!#$%&\'*+-/=?^_`.{|}~@example.com', 'f');
$this->assertEqual($filtered, '@ "!#$%&\'*+-/=?^_`.{|}~@example.com">"\"\\()[]\;:,<>@ "!#$%&\'*+-/=?^_`.{|}~@example.com', t('Converting e-mail addresses -- an interesting, valid address.'));
// TODO: HTML correctror does not handle comments properly (issue #222926).
$filtered = _filter_htmlcorrector('');
$this->assertEqual($filtered, '', t('HTML corrector -- skipping comments.'));
$filtered = _filter_htmlcorrector("", t('HTML corrector -- closing unclosed comments.'));
}