diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2017-03-04 09:38:12 +0100 |
commit | 9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch) | |
tree | 5950eea367714b54cb24cdfb57963adf85a907e4 /tests/plugins | |
parent | 63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff) | |
download | Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'tests/plugins')
-rw-r--r-- | tests/plugins/PluginMarkdownTest.php | 57 | ||||
-rw-r--r-- | tests/plugins/resources/markdown.html | 6 |
2 files changed, 54 insertions, 9 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 17ef2280..f1e1acf8 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php | |||
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php'; | |||
14 | class PluginMarkdownTest extends PHPUnit_Framework_TestCase | 14 | class PluginMarkdownTest extends PHPUnit_Framework_TestCase |
15 | { | 15 | { |
16 | /** | 16 | /** |
17 | * @var ConfigManager instance. | ||
18 | */ | ||
19 | protected $conf; | ||
20 | |||
21 | /** | ||
17 | * Reset plugin path | 22 | * Reset plugin path |
18 | */ | 23 | */ |
19 | function setUp() | 24 | function setUp() |
20 | { | 25 | { |
21 | PluginManager::$PLUGINS_PATH = 'plugins'; | 26 | PluginManager::$PLUGINS_PATH = 'plugins'; |
27 | $this->conf = new ConfigManager('tests/utils/config/configJson'); | ||
22 | } | 28 | } |
23 | 29 | ||
24 | /** | 30 | /** |
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
36 | ), | 42 | ), |
37 | ); | 43 | ); |
38 | 44 | ||
39 | $data = hook_markdown_render_linklist($data); | 45 | $data = hook_markdown_render_linklist($data, $this->conf); |
40 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>')); | 46 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>')); |
41 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>')); | 47 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>')); |
42 | } | 48 | } |
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
61 | ), | 67 | ), |
62 | ); | 68 | ); |
63 | 69 | ||
64 | $data = hook_markdown_render_daily($data); | 70 | $data = hook_markdown_render_daily($data, $this->conf); |
65 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>')); | 71 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>')); |
66 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>')); | 72 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>')); |
67 | } | 73 | } |
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
110 | $output = escape($input); | 116 | $output = escape($input); |
111 | $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; | 117 | $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; |
112 | $output .= '<a href="#" attr="tt">link</a>'; | 118 | $output .= '<a href="#" attr="tt">link</a>'; |
119 | $input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>'; | ||
120 | $output .= '<a href="#" attr="tt">link</a>'; | ||
113 | $this->assertEquals($output, sanitize_html($input)); | 121 | $this->assertEquals($output, sanitize_html($input)); |
114 | // Do not touch escaped HTML. | 122 | // Do not touch escaped HTML. |
115 | $input = escape($input); | 123 | $input = escape($input); |
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
130 | )) | 138 | )) |
131 | ); | 139 | ); |
132 | 140 | ||
133 | $processed = hook_markdown_render_linklist($data); | 141 | $processed = hook_markdown_render_linklist($data, $this->conf); |
134 | $this->assertEquals($str, $processed['links'][0]['description']); | 142 | $this->assertEquals($str, $processed['links'][0]['description']); |
135 | 143 | ||
136 | $processed = hook_markdown_render_feed($data); | 144 | $processed = hook_markdown_render_feed($data, $this->conf); |
137 | $this->assertEquals($str, $processed['links'][0]['description']); | 145 | $this->assertEquals($str, $processed['links'][0]['description']); |
138 | 146 | ||
139 | $data = array( | 147 | $data = array( |
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
151 | ), | 159 | ), |
152 | ); | 160 | ); |
153 | 161 | ||
154 | $data = hook_markdown_render_daily($data); | 162 | $data = hook_markdown_render_daily($data, $this->conf); |
155 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); | 163 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); |
156 | } | 164 | } |
157 | 165 | ||
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
169 | )) | 177 | )) |
170 | ); | 178 | ); |
171 | 179 | ||
172 | $data = hook_markdown_render_feed($data); | 180 | $data = hook_markdown_render_feed($data, $this->conf); |
173 | $this->assertContains('<em>', $data['links'][0]['description']); | 181 | $this->assertContains('<em>', $data['links'][0]['description']); |
174 | } | 182 | } |
175 | 183 | ||
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
185 | $data = process_markdown($md); | 193 | $data = process_markdown($md); |
186 | $this->assertEquals($html, $data); | 194 | $this->assertEquals($html, $data); |
187 | } | 195 | } |
196 | |||
197 | /** | ||
198 | * Make sure that the HTML tags are escaped. | ||
199 | */ | ||
200 | public function testMarkdownWithHtmlEscape() | ||
201 | { | ||
202 | $md = '**strong** <strong>strong</strong>'; | ||
203 | $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>'; | ||
204 | $data = array( | ||
205 | 'links' => array( | ||
206 | 0 => array( | ||
207 | 'description' => $md, | ||
208 | ), | ||
209 | ), | ||
210 | ); | ||
211 | $data = hook_markdown_render_linklist($data, $this->conf); | ||
212 | $this->assertEquals($html, $data['links'][0]['description']); | ||
213 | } | ||
214 | |||
215 | /** | ||
216 | * Make sure that the HTML tags aren't escaped with the setting set to false. | ||
217 | */ | ||
218 | public function testMarkdownWithHtmlNoEscape() | ||
219 | { | ||
220 | $this->conf->set('security.markdown_escape', false); | ||
221 | $md = '**strong** <strong>strong</strong>'; | ||
222 | $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>'; | ||
223 | $data = array( | ||
224 | 'links' => array( | ||
225 | 0 => array( | ||
226 | 'description' => $md, | ||
227 | ), | ||
228 | ), | ||
229 | ); | ||
230 | $data = hook_markdown_render_linklist($data, $this->conf); | ||
231 | $this->assertEquals($html, $data['links'][0]['description']); | ||
232 | } | ||
188 | } | 233 | } |
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html index c0fbe7f4..07a5a32e 100644 --- a/tests/plugins/resources/markdown.html +++ b/tests/plugins/resources/markdown.html | |||
@@ -12,11 +12,11 @@ | |||
12 | <li><a href="http://link.tld">two</a></li> | 12 | <li><a href="http://link.tld">two</a></li> |
13 | <li><a href="http://link.tld">three</a></li> | 13 | <li><a href="http://link.tld">three</a></li> |
14 | <li><a href="http://link.tld">four</a></li> | 14 | <li><a href="http://link.tld">four</a></li> |
15 | <li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li> | 15 | <li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li> |
16 | </ol></li> | 16 | </ol></li> |
17 | </ol> | 17 | </ol> |
18 | <p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p> | 18 | <p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p> |
19 | <p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p> | 19 | <p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p> |
20 | <pre><code>http://link.tld #foobar | 20 | <pre><code>http://link.tld #foobar |
21 | next #foo</code></pre> | 21 | next #foo</code></pre> |
22 | <p>Block:</p> | 22 | <p>Block:</p> |