Markdown: don't escape content + sanitize sensible tags

Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
author: ArthurHoaro <arthur@hoa.ro> 2016-02-19 19:37:13 +0100
committer: ArthurHoaro <arthur@hoa.ro> 2016-02-19 19:37:13 +0100
commit: 2925687e1e86dc113116330efd547b9db5c0f1a6 (patch)
tree: 706706ddfc9472e51494db912f9bee03972ce93f /tests/plugins
parent: bfec695df1205864b46ca7175e1598b184602687 (diff)
download: Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip
1 files changed, 12 insertions, 7 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 455f5ba7..8e1a128a 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
    }
    /**
-     * Test reset_quote_tags()
+     * Test sanitize_html().
     */
-    function testResetQuoteTags()
+    function testSanitizeHtml() {
-    {
+        $input = '< script src="js.js"/>';
-        $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';
+        $input .= '< script attr>alert(\'xss\');</script>';
-        $processedText = escape($text);
+        $input .= '<style> * { display: none }</style>';
-        $reversedText = reset_quote_tags($processedText);
+        $output = escape($input);
-        $this->assertEquals($text, $reversedText);
+        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
+        $this->assertEquals($output, sanitize_html($input));
+        // Do not touch escaped HTML.
+        $input = escape($input);
+        $this->assertEquals($input, sanitize_html($input));
    }
 }
author	ArthurHoaro <arthur@hoa.ro>	2016-02-19 19:37:13 +0100
committer	ArthurHoaro <arthur@hoa.ro>	2016-02-19 19:37:13 +0100
commit	2925687e1e86dc113116330efd547b9db5c0f1a6 (patch)
tree	706706ddfc9472e51494db912f9bee03972ce93f /tests/plugins
parent	bfec695df1205864b46ca7175e1598b184602687 (diff)
download	Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip

diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 455f5ba7..8e1a128a 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
100	}	100	}
101		101
102	/**	102	/**
103	* Test reset_quote_tags()	103	* Test sanitize_html().
104	*/	104	*/
105	function testResetQuoteTags()	105	function testSanitizeHtml() {
106	{	106	$input = '< script src="js.js"/>';
107	$text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';	107	$input .= '< script attr>alert(\'xss\');</script>';
108	$processedText = escape($text);	108	$input .= '<style> * { display: none }</style>';
109	$reversedText = reset_quote_tags($processedText);	109	$output = escape($input);
110	$this->assertEquals($text, $reversedText);	110	$input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
		111	$output .= '<a href="#" attr="tt">link</a>';
		112	$this->assertEquals($output, sanitize_html($input));
		113	// Do not touch escaped HTML.
		114	$input = escape($input);
		115	$this->assertEquals($input, sanitize_html($input));
111	}	116	}
112	}	117	}