Markdown: don't escape content + sanitize sensible tags

[github/shaarli/Shaarli.git] / tests / plugins / PluginMarkdownTest.php

diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 455f5ba7c7d95038b93fdd58af34f76adeea2f52..8e1a128acc6d2b00218611af2f7257fd0ff437a7 100644 (file)
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * Test reset_quote_tags()
+     * Test sanitize_html().
      */
-    function testResetQuoteTags()
-    {
-        $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';
-        $processedText = escape($text);
-        $reversedText = reset_quote_tags($processedText);
-        $this->assertEquals($text, $reversedText);
+    function testSanitizeHtml() {
+        $input = '< script src="js.js"/>';
+        $input .= '< script attr>alert(\'xss\');</script>';
+        $input .= '<style> * { display: none }</style>';
+        $output = escape($input);
+        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
+        $this->assertEquals($output, sanitize_html($input));
+        // Do not touch escaped HTML.
+        $input = escape($input);
+        $this->assertEquals($input, sanitize_html($input));
     }
 }