aboutsummaryrefslogtreecommitdiffhomepage
path: root/tests
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2016-02-19 19:37:13 +0100
committerArthurHoaro <arthur@hoa.ro>2016-02-19 19:37:13 +0100
commit2925687e1e86dc113116330efd547b9db5c0f1a6 (patch)
tree706706ddfc9472e51494db912f9bee03972ce93f /tests
parentbfec695df1205864b46ca7175e1598b184602687 (diff)
downloadShaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip
Markdown: don't escape content + sanitize sensible tags
Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
Diffstat (limited to 'tests')
-rw-r--r--tests/plugins/PluginMarkdownTest.php19
1 files changed, 12 insertions, 7 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 455f5ba7..8e1a128a 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
100 } 100 }
101 101
102 /** 102 /**
103 * Test reset_quote_tags() 103 * Test sanitize_html().
104 */ 104 */
105 function testResetQuoteTags() 105 function testSanitizeHtml() {
106 { 106 $input = '< script src="js.js"/>';
107 $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote'; 107 $input .= '< script attr>alert(\'xss\');</script>';
108 $processedText = escape($text); 108 $input .= '<style> * { display: none }</style>';
109 $reversedText = reset_quote_tags($processedText); 109 $output = escape($input);
110 $this->assertEquals($text, $reversedText); 110 $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
111 $output .= '<a href="#" attr="tt">link</a>';
112 $this->assertEquals($output, sanitize_html($input));
113 // Do not touch escaped HTML.
114 $input = escape($input);
115 $this->assertEquals($input, sanitize_html($input));
111 } 116 }
112} 117}