Add markdown_escape setting

This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
author: ArthurHoaro <arthur@hoa.ro> 2017-02-27 19:45:55 +0100
committer: ArthurHoaro <arthur@hoa.ro> 2017-02-28 19:16:54 +0100
commit: e03761011521929a375ebb56f21adacb226a3a8d (patch)
tree: 6cc318939e74a35d74a037f18bca912b73e5c81e /tests/Updater/UpdaterTest.php
parent: 5978588578ca103152598ccfbe41019b12e00a4f (diff)
download: Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip
1 files changed, 66 insertions, 0 deletions
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php
index de330ae2..39be88f9 100644
--- a/tests/Updater/UpdaterTest.php
+++ b/tests/Updater/UpdaterTest.php
@@ -506,4 +506,70 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
        $this->conf = new ConfigManager($sandboxConf);
        $this->assertEquals($theme, $this->conf->get('resource.theme'));
    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin enabled
+     * => setting markdown_escape set to false.
+     */
+    public function testEscapeMarkdownSettingToFalse()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', ['markdown']);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin disabled
+     * => setting markdown_escape set to true.
+     */
+    public function testEscapeMarkdownSettingToTrue()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', []);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoEnabled()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('security.markdown_escape', true);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoDisabled()
+    {
+        $this->conf->set('security.markdown_escape', false);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
 }
author	ArthurHoaro <arthur@hoa.ro>	2017-02-27 19:45:55 +0100
committer	ArthurHoaro <arthur@hoa.ro>	2017-02-28 19:16:54 +0100
commit	e03761011521929a375ebb56f21adacb226a3a8d (patch)
tree	6cc318939e74a35d74a037f18bca912b73e5c81e /tests/Updater/UpdaterTest.php
parent	5978588578ca103152598ccfbe41019b12e00a4f (diff)
download	Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip

diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index de330ae2..39be88f9 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php
@@ -506,4 +506,70 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
506	$this->conf = new ConfigManager($sandboxConf);	506	$this->conf = new ConfigManager($sandboxConf);
507	$this->assertEquals($theme, $this->conf->get('resource.theme'));	507	$this->assertEquals($theme, $this->conf->get('resource.theme'));
508	}	508	}
		509
		510	/**
		511	* Test updateMethodEscapeMarkdown with markdown plugin enabled
		512	* => setting markdown_escape set to false.
		513	*/
		514	public function testEscapeMarkdownSettingToFalse()
		515	{
		516	$sandboxConf = 'sandbox/config';
		517	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		518	$this->conf = new ConfigManager($sandboxConf);
		519
		520	$this->conf->set('general.enabled_plugins', ['markdown']);
		521	$updater = new Updater([], [], $this->conf, true);
		522	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		523	$this->assertFalse($this->conf->get('security.markdown_escape'));
		524
		525	// reload from file
		526	$this->conf = new ConfigManager($sandboxConf);
		527	$this->assertFalse($this->conf->get('security.markdown_escape'));
		528	}
		529
		530
		531	/**
		532	* Test updateMethodEscapeMarkdown with markdown plugin disabled
		533	* => setting markdown_escape set to true.
		534	*/
		535	public function testEscapeMarkdownSettingToTrue()
		536	{
		537	$sandboxConf = 'sandbox/config';
		538	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		539	$this->conf = new ConfigManager($sandboxConf);
		540
		541	$this->conf->set('general.enabled_plugins', []);
		542	$updater = new Updater([], [], $this->conf, true);
		543	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		544	$this->assertTrue($this->conf->get('security.markdown_escape'));
		545
		546	// reload from file
		547	$this->conf = new ConfigManager($sandboxConf);
		548	$this->assertTrue($this->conf->get('security.markdown_escape'));
		549	}
		550
		551	/**
		552	* Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
		553	*/
		554	public function testEscapeMarkdownSettingNothingToDoEnabled()
		555	{
		556	$sandboxConf = 'sandbox/config';
		557	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		558	$this->conf = new ConfigManager($sandboxConf);
		559	$this->conf->set('security.markdown_escape', true);
		560	$updater = new Updater([], [], $this->conf, true);
		561	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		562	$this->assertTrue($this->conf->get('security.markdown_escape'));
		563	}
		564
		565	/**
		566	* Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
		567	*/
		568	public function testEscapeMarkdownSettingNothingToDoDisabled()
		569	{
		570	$this->conf->set('security.markdown_escape', false);
		571	$updater = new Updater([], [], $this->conf, true);
		572	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		573	$this->assertFalse($this->conf->get('security.markdown_escape'));
		574	}
509	}	575	}