diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2017-02-28 19:16:54 +0100 |
commit | e03761011521929a375ebb56f21adacb226a3a8d (patch) | |
tree | 6cc318939e74a35d74a037f18bca912b73e5c81e /tests/Updater | |
parent | 5978588578ca103152598ccfbe41019b12e00a4f (diff) | |
download | Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'tests/Updater')
-rw-r--r-- | tests/Updater/UpdaterTest.php | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index de330ae2..39be88f9 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php | |||
@@ -506,4 +506,70 @@ $GLOBALS[\'privateLinkByDefault\'] = true;'; | |||
506 | $this->conf = new ConfigManager($sandboxConf); | 506 | $this->conf = new ConfigManager($sandboxConf); |
507 | $this->assertEquals($theme, $this->conf->get('resource.theme')); | 507 | $this->assertEquals($theme, $this->conf->get('resource.theme')); |
508 | } | 508 | } |
509 | |||
510 | /** | ||
511 | * Test updateMethodEscapeMarkdown with markdown plugin enabled | ||
512 | * => setting markdown_escape set to false. | ||
513 | */ | ||
514 | public function testEscapeMarkdownSettingToFalse() | ||
515 | { | ||
516 | $sandboxConf = 'sandbox/config'; | ||
517 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
518 | $this->conf = new ConfigManager($sandboxConf); | ||
519 | |||
520 | $this->conf->set('general.enabled_plugins', ['markdown']); | ||
521 | $updater = new Updater([], [], $this->conf, true); | ||
522 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
523 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
524 | |||
525 | // reload from file | ||
526 | $this->conf = new ConfigManager($sandboxConf); | ||
527 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
528 | } | ||
529 | |||
530 | |||
531 | /** | ||
532 | * Test updateMethodEscapeMarkdown with markdown plugin disabled | ||
533 | * => setting markdown_escape set to true. | ||
534 | */ | ||
535 | public function testEscapeMarkdownSettingToTrue() | ||
536 | { | ||
537 | $sandboxConf = 'sandbox/config'; | ||
538 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
539 | $this->conf = new ConfigManager($sandboxConf); | ||
540 | |||
541 | $this->conf->set('general.enabled_plugins', []); | ||
542 | $updater = new Updater([], [], $this->conf, true); | ||
543 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
544 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
545 | |||
546 | // reload from file | ||
547 | $this->conf = new ConfigManager($sandboxConf); | ||
548 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
549 | } | ||
550 | |||
551 | /** | ||
552 | * Test updateMethodEscapeMarkdown with nothing to do (setting already enabled) | ||
553 | */ | ||
554 | public function testEscapeMarkdownSettingNothingToDoEnabled() | ||
555 | { | ||
556 | $sandboxConf = 'sandbox/config'; | ||
557 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
558 | $this->conf = new ConfigManager($sandboxConf); | ||
559 | $this->conf->set('security.markdown_escape', true); | ||
560 | $updater = new Updater([], [], $this->conf, true); | ||
561 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
562 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
563 | } | ||
564 | |||
565 | /** | ||
566 | * Test updateMethodEscapeMarkdown with nothing to do (setting already disabled) | ||
567 | */ | ||
568 | public function testEscapeMarkdownSettingNothingToDoDisabled() | ||
569 | { | ||
570 | $this->conf->set('security.markdown_escape', false); | ||
571 | $updater = new Updater([], [], $this->conf, true); | ||
572 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
573 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
574 | } | ||
509 | } | 575 | } |