aboutsummaryrefslogtreecommitdiffhomepage
path: root/tests/plugins
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-02-27 19:45:55 +0100
committerArthurHoaro <arthur@hoa.ro>2017-02-28 19:16:54 +0100
commite03761011521929a375ebb56f21adacb226a3a8d (patch)
tree6cc318939e74a35d74a037f18bca912b73e5c81e /tests/plugins
parent5978588578ca103152598ccfbe41019b12e00a4f (diff)
downloadShaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
Diffstat (limited to 'tests/plugins')
-rw-r--r--tests/plugins/PluginMarkdownTest.php57
-rw-r--r--tests/plugins/resources/markdown.html6
2 files changed, 54 insertions, 9 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index d359b2a1..d4cd1b97 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php';
14class PluginMarkdownTest extends PHPUnit_Framework_TestCase 14class PluginMarkdownTest extends PHPUnit_Framework_TestCase
15{ 15{
16 /** 16 /**
17 * @var ConfigManager instance.
18 */
19 protected $conf;
20
21 /**
17 * Reset plugin path 22 * Reset plugin path
18 */ 23 */
19 public function setUp() 24 public function setUp()
20 { 25 {
21 PluginManager::$PLUGINS_PATH = 'plugins'; 26 PluginManager::$PLUGINS_PATH = 'plugins';
27 $this->conf = new ConfigManager('tests/utils/config/configJson');
22 } 28 }
23 29
24 /** 30 /**
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
36 ), 42 ),
37 ); 43 );
38 44
39 $data = hook_markdown_render_linklist($data); 45 $data = hook_markdown_render_linklist($data, $this->conf);
40 $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>')); 46 $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));
41 $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>')); 47 $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));
42 } 48 }
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
61 ), 67 ),
62 ); 68 );
63 69
64 $data = hook_markdown_render_daily($data); 70 $data = hook_markdown_render_daily($data, $this->conf);
65 $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>')); 71 $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));
66 $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>')); 72 $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));
67 } 73 }
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
110 $output = escape($input); 116 $output = escape($input);
111 $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; 117 $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
112 $output .= '<a href="#" attr="tt">link</a>'; 118 $output .= '<a href="#" attr="tt">link</a>';
119 $input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>';
120 $output .= '<a href="#" attr="tt">link</a>';
113 $this->assertEquals($output, sanitize_html($input)); 121 $this->assertEquals($output, sanitize_html($input));
114 // Do not touch escaped HTML. 122 // Do not touch escaped HTML.
115 $input = escape($input); 123 $input = escape($input);
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
130 )) 138 ))
131 ); 139 );
132 140
133 $processed = hook_markdown_render_linklist($data); 141 $processed = hook_markdown_render_linklist($data, $this->conf);
134 $this->assertEquals($str, $processed['links'][0]['description']); 142 $this->assertEquals($str, $processed['links'][0]['description']);
135 143
136 $processed = hook_markdown_render_feed($data); 144 $processed = hook_markdown_render_feed($data, $this->conf);
137 $this->assertEquals($str, $processed['links'][0]['description']); 145 $this->assertEquals($str, $processed['links'][0]['description']);
138 146
139 $data = array( 147 $data = array(
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
151 ), 159 ),
152 ); 160 );
153 161
154 $data = hook_markdown_render_daily($data); 162 $data = hook_markdown_render_daily($data, $this->conf);
155 $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); 163 $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
156 } 164 }
157 165
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
169 )) 177 ))
170 ); 178 );
171 179
172 $data = hook_markdown_render_feed($data); 180 $data = hook_markdown_render_feed($data, $this->conf);
173 $this->assertContains('<em>', $data['links'][0]['description']); 181 $this->assertContains('<em>', $data['links'][0]['description']);
174 } 182 }
175 183
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
185 $data = process_markdown($md); 193 $data = process_markdown($md);
186 $this->assertEquals($html, $data); 194 $this->assertEquals($html, $data);
187 } 195 }
196
197 /**
198 * Make sure that the HTML tags are escaped.
199 */
200 public function testMarkdownWithHtmlEscape()
201 {
202 $md = '**strong** <strong>strong</strong>';
203 $html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
204 $data = array(
205 'links' => array(
206 0 => array(
207 'description' => $md,
208 ),
209 ),
210 );
211 $data = hook_markdown_render_linklist($data, $this->conf);
212 $this->assertEquals($html, $data['links'][0]['description']);
213 }
214
215 /**
216 * Make sure that the HTML tags aren't escaped with the setting set to false.
217 */
218 public function testMarkdownWithHtmlNoEscape()
219 {
220 $this->conf->set('security.markdown_escape', false);
221 $md = '**strong** <strong>strong</strong>';
222 $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
223 $data = array(
224 'links' => array(
225 0 => array(
226 'description' => $md,
227 ),
228 ),
229 );
230 $data = hook_markdown_render_linklist($data, $this->conf);
231 $this->assertEquals($html, $data['links'][0]['description']);
232 }
188} 233}
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html
index c0fbe7f4..07a5a32e 100644
--- a/tests/plugins/resources/markdown.html
+++ b/tests/plugins/resources/markdown.html
@@ -12,11 +12,11 @@
12<li><a href="http://link.tld">two</a></li> 12<li><a href="http://link.tld">two</a></li>
13<li><a href="http://link.tld">three</a></li> 13<li><a href="http://link.tld">three</a></li>
14<li><a href="http://link.tld">four</a></li> 14<li><a href="http://link.tld">four</a></li>
15<li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li> 15<li>foo &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt;</li>
16</ol></li> 16</ol></li>
17</ol> 17</ol>
18<p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p> 18<p>&lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; foo <code>lol #foo</code> &lt;a href=&quot;?addtag=bar&quot; title=&quot;Hashtag bar&quot;&gt;#bar&lt;/a&gt;</p>
19<p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p> 19<p>fsdfs <a href="http://link.tld">http://link.tld</a> &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; <code>http://link.tld</code></p>
20<pre><code>http://link.tld #foobar 20<pre><code>http://link.tld #foobar
21next #foo</code></pre> 21next #foo</code></pre>
22<p>Block:</p> 22<p>Block:</p>