Add markdown_escape setting

This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
author: ArthurHoaro <arthur@hoa.ro> 2017-02-27 19:45:55 +0100
committer: ArthurHoaro <arthur@hoa.ro> 2017-02-28 19:16:54 +0100
commit: e03761011521929a375ebb56f21adacb226a3a8d (patch)
tree: 6cc318939e74a35d74a037f18bca912b73e5c81e /tests/plugins
parent: 5978588578ca103152598ccfbe41019b12e00a4f (diff)
download: Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip
2 files changed, 54 insertions, 9 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index d359b2a1..d4cd1b97 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php';
 class PluginMarkdownTest extends PHPUnit_Framework_TestCase
 {
    /**
+     * @var ConfigManager instance.
+     */
+    protected $conf;
+    /**
     * Reset plugin path
     */
    public function setUp()
    {
        PluginManager::$PLUGINS_PATH = 'plugins';
+        $this->conf = new ConfigManager('tests/utils/config/configJson');
    }
    /**
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_linklist($data);
+        $data = hook_markdown_render_linklist($data, $this->conf);
        $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));
        $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));
    }
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_daily($data);
+        $data = hook_markdown_render_daily($data, $this->conf);
        $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));
        $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));
    }
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
        $output = escape($input);
        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
        $output .= '<a href="#"  attr="tt">link</a>';
+        $input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
        $this->assertEquals($output, sanitize_html($input));
        // Do not touch escaped HTML.
        $input = escape($input);
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ))
        );
-        $processed = hook_markdown_render_linklist($data);
+        $processed = hook_markdown_render_linklist($data, $this->conf);
        $this->assertEquals($str, $processed['links'][0]['description']);
-        $processed = hook_markdown_render_feed($data);
+        $processed = hook_markdown_render_feed($data, $this->conf);
        $this->assertEquals($str, $processed['links'][0]['description']);
        $data = array(
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_daily($data);
+        $data = hook_markdown_render_daily($data, $this->conf);
        $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
    }
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ))
        );
-        $data = hook_markdown_render_feed($data);
+        $data = hook_markdown_render_feed($data, $this->conf);
        $this->assertContains('<em>', $data['links'][0]['description']);
    }
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
        $data = process_markdown($md);
        $this->assertEquals($html, $data);
    }
+    /**
+     * Make sure that the HTML tags are escaped.
+     */
+    public function testMarkdownWithHtmlEscape()
+    {
+        $md = '**strong** <strong>strong</strong>';
+        $html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
+        $data = array(
+            'links' => array(
+                0 => array(
+                    'description' => $md,
+                ),
+            ),
+        );
+        $data = hook_markdown_render_linklist($data, $this->conf);
+        $this->assertEquals($html, $data['links'][0]['description']);
+    }
+    /**
+     * Make sure that the HTML tags aren't escaped with the setting set to false.
+     */
+    public function testMarkdownWithHtmlNoEscape()
+    {
+        $this->conf->set('security.markdown_escape', false);
+        $md = '**strong** <strong>strong</strong>';
+        $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
+        $data = array(
+            'links' => array(
+                0 => array(
+                    'description' => $md,
+                ),
+            ),
+        );
+        $data = hook_markdown_render_linklist($data, $this->conf);
+        $this->assertEquals($html, $data['links'][0]['description']);
+    }
 }
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html
index c0fbe7f4..07a5a32e 100644
--- a/tests/plugins/resources/markdown.html
+++ b/tests/plugins/resources/markdown.html
@@ -12,11 +12,11 @@
 <li><a href="http://link.tld">two</a></li>
 <li><a href="http://link.tld">three</a></li>
 <li><a href="http://link.tld">four</a></li>
-<li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li>
+<li>foo &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt;</li>
 </ol></li>
 </ol>
-<p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p>
+<p>&lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; foo <code>lol #foo</code> &lt;a href=&quot;?addtag=bar&quot; title=&quot;Hashtag bar&quot;&gt;#bar&lt;/a&gt;</p>
-<p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p>
+<p>fsdfs <a href="http://link.tld">http://link.tld</a> &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; <code>http://link.tld</code></p>
 <pre><code>http://link.tld #foobar
 next #foo</code></pre>
 <p>Block:</p>
author	ArthurHoaro <arthur@hoa.ro>	2017-02-27 19:45:55 +0100
committer	ArthurHoaro <arthur@hoa.ro>	2017-02-28 19:16:54 +0100
commit	e03761011521929a375ebb56f21adacb226a3a8d (patch)
tree	6cc318939e74a35d74a037f18bca912b73e5c81e /tests/plugins
parent	5978588578ca103152598ccfbe41019b12e00a4f (diff)
download	Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip