diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-02-19 19:37:13 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-02-19 19:37:13 +0100 |
commit | 2925687e1e86dc113116330efd547b9db5c0f1a6 (patch) | |
tree | 706706ddfc9472e51494db912f9bee03972ce93f /tests/plugins/PluginMarkdownTest.php | |
parent | bfec695df1205864b46ca7175e1598b184602687 (diff) | |
download | Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip |
Markdown: don't escape content + sanitize sensible tags
Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
Diffstat (limited to 'tests/plugins/PluginMarkdownTest.php')
-rw-r--r-- | tests/plugins/PluginMarkdownTest.php | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 455f5ba7..8e1a128a 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php | |||
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
100 | } | 100 | } |
101 | 101 | ||
102 | /** | 102 | /** |
103 | * Test reset_quote_tags() | 103 | * Test sanitize_html(). |
104 | */ | 104 | */ |
105 | function testResetQuoteTags() | 105 | function testSanitizeHtml() { |
106 | { | 106 | $input = '< script src="js.js"/>'; |
107 | $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote'; | 107 | $input .= '< script attr>alert(\'xss\');</script>'; |
108 | $processedText = escape($text); | 108 | $input .= '<style> * { display: none }</style>'; |
109 | $reversedText = reset_quote_tags($processedText); | 109 | $output = escape($input); |
110 | $this->assertEquals($text, $reversedText); | 110 | $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; |
111 | $output .= '<a href="#" attr="tt">link</a>'; | ||
112 | $this->assertEquals($output, sanitize_html($input)); | ||
113 | // Do not touch escaped HTML. | ||
114 | $input = escape($input); | ||
115 | $this->assertEquals($input, sanitize_html($input)); | ||
111 | } | 116 | } |
112 | } | 117 | } |