Add markdown_escape setting

This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
author: ArthurHoaro <arthur@hoa.ro> 2017-02-27 19:45:55 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2017-03-04 09:38:12 +0100
commit: 9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree: 5950eea367714b54cb24cdfb57963adf85a907e4 /tests/Updater/UpdaterTest.php
parent: 63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
download: Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip
1 files changed, 65 insertions, 0 deletions
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php
index 4948fe52..17d1ba81 100644
--- a/tests/Updater/UpdaterTest.php
+++ b/tests/Updater/UpdaterTest.php
@@ -385,4 +385,69 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
        $this->assertTrue($updater->updateMethodDatastoreIds());
        $this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));
    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin enabled
+     * => setting markdown_escape set to false.
+     */
+    public function testEscapeMarkdownSettingToFalse()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', ['markdown']);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin disabled
+     * => setting markdown_escape set to true.
+     */
+    public function testEscapeMarkdownSettingToTrue()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', []);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoEnabled()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('security.markdown_escape', true);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoDisabled()
+    {
+        $this->conf->set('security.markdown_escape', false);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
 }
author	ArthurHoaro <arthur@hoa.ro>	2017-02-27 19:45:55 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2017-03-04 09:38:12 +0100
commit	9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree	5950eea367714b54cb24cdfb57963adf85a907e4 /tests/Updater/UpdaterTest.php
parent	63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
download	Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip

diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index 4948fe52..17d1ba81 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php
@@ -385,4 +385,69 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
385	$this->assertTrue($updater->updateMethodDatastoreIds());	385	$this->assertTrue($updater->updateMethodDatastoreIds());
386	$this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));	386	$this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));
387	}	387	}
		388
		389	/**
		390	* Test updateMethodEscapeMarkdown with markdown plugin enabled
		391	* => setting markdown_escape set to false.
		392	*/
		393	public function testEscapeMarkdownSettingToFalse()
		394	{
		395	$sandboxConf = 'sandbox/config';
		396	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		397	$this->conf = new ConfigManager($sandboxConf);
		398
		399	$this->conf->set('general.enabled_plugins', ['markdown']);
		400	$updater = new Updater([], [], $this->conf, true);
		401	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		402	$this->assertFalse($this->conf->get('security.markdown_escape'));
		403
		404	// reload from file
		405	$this->conf = new ConfigManager($sandboxConf);
		406	$this->assertFalse($this->conf->get('security.markdown_escape'));
		407	}
		408
		409	/**
		410	* Test updateMethodEscapeMarkdown with markdown plugin disabled
		411	* => setting markdown_escape set to true.
		412	*/
		413	public function testEscapeMarkdownSettingToTrue()
		414	{
		415	$sandboxConf = 'sandbox/config';
		416	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		417	$this->conf = new ConfigManager($sandboxConf);
		418
		419	$this->conf->set('general.enabled_plugins', []);
		420	$updater = new Updater([], [], $this->conf, true);
		421	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		422	$this->assertTrue($this->conf->get('security.markdown_escape'));
		423
		424	// reload from file
		425	$this->conf = new ConfigManager($sandboxConf);
		426	$this->assertTrue($this->conf->get('security.markdown_escape'));
		427	}
		428
		429	/**
		430	* Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
		431	*/
		432	public function testEscapeMarkdownSettingNothingToDoEnabled()
		433	{
		434	$sandboxConf = 'sandbox/config';
		435	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		436	$this->conf = new ConfigManager($sandboxConf);
		437	$this->conf->set('security.markdown_escape', true);
		438	$updater = new Updater([], [], $this->conf, true);
		439	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		440	$this->assertTrue($this->conf->get('security.markdown_escape'));
		441	}
		442
		443	/**
		444	* Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
		445	*/
		446	public function testEscapeMarkdownSettingNothingToDoDisabled()
		447	{
		448	$this->conf->set('security.markdown_escape', false);
		449	$updater = new Updater([], [], $this->conf, true);
		450	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		451	$this->assertFalse($this->conf->get('security.markdown_escape'));
		452	}
388	}	453	}