security: escape HTML entities when using Markdown

Adapted from https://github.com/shaarli/Shaarli/pull/785 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2017-03-08 20:38:41 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2017-03-08 20:38:41 +0100
commit: 1328d222680edf2ebdaea5624a7496240bd075f0 (patch)
tree: d515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0 /tests/plugins
parent: ebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff)
download: Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.gz
Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.zst
Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index fa7e1d52..67bf8968 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -149,4 +149,22 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
        $data = hook_markdown_render_daily($data);
        $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
    }
+    /**
+     * Make sure that the HTML tags are escaped.
+     */
+    public function testMarkdownWithHtmlEscape()
+    {
+        $md = '**strong** <strong>strong</strong>';
+        $html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
+        $data = array(
+            'links' => array(
+                0 => array(
+                    'description' => $md,
+                ),
+            ),
+        );
+        $data = hook_markdown_render_linklist($data);
+        $this->assertEquals($html, $data['links'][0]['description']);
+    }
 }
author	VirtualTam <virtualtam@flibidi.net>	2017-03-08 20:38:41 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2017-03-08 20:38:41 +0100
commit	1328d222680edf2ebdaea5624a7496240bd075f0 (patch)
tree	d515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0 /tests/plugins
parent	ebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff)
download	Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.gz Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.zst Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.zip

diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index fa7e1d52..67bf8968 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php
@@ -149,4 +149,22 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
149	$data = hook_markdown_render_daily($data);	149	$data = hook_markdown_render_daily($data);
150	$this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);	150	$this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
151	}	151	}
		152
		153	/**
		154	* Make sure that the HTML tags are escaped.
		155	*/
		156	public function testMarkdownWithHtmlEscape()
		157	{
		158	$md = 'strong <strong>strong</strong>';
		159	$html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
		160	$data = array(
		161	'links' => array(
		162	0 => array(
		163	'description' => $md,
		164	),
		165	),
		166	);
		167	$data = hook_markdown_render_linklist($data);
		168	$this->assertEquals($html, $data['links'][0]['description']);
		169	}
152	}	170	}