Merge pull request #491 from ArthurHoaro/markdown-escape2

Markdown: don't escape content + sanitize sensible tags
author: Arthur <arthur@hoa.ro> 2016-02-25 08:52:42 +0100
committer: Arthur <arthur@hoa.ro> 2016-02-25 08:52:42 +0100
commit: 10269bc8c9dfe87eb213c09a44308ce64ae0c12d (patch)
tree: 90bbe4d9f5b5788cc348c3883efe22deb659ded9 /tests
parent: cee0d9609f7cf860cf951ca2d838cfaacecd37d2 (diff)
parent: 2925687e1e86dc113116330efd547b9db5c0f1a6 (diff)
download: Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.gz
Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.zst
Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.zip
1 files changed, 12 insertions, 7 deletions
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 455f5ba7..8e1a128a 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
    }
    /**
-     * Test reset_quote_tags()
+     * Test sanitize_html().
     */
-    function testResetQuoteTags()
+    function testSanitizeHtml() {
-    {
+        $input = '< script src="js.js"/>';
-        $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';
+        $input .= '< script attr>alert(\'xss\');</script>';
-        $processedText = escape($text);
+        $input .= '<style> * { display: none }</style>';
-        $reversedText = reset_quote_tags($processedText);
+        $output = escape($input);
-        $this->assertEquals($text, $reversedText);
+        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
+        $this->assertEquals($output, sanitize_html($input));
+        // Do not touch escaped HTML.
+        $input = escape($input);
+        $this->assertEquals($input, sanitize_html($input));
    }
 }
author	Arthur <arthur@hoa.ro>	2016-02-25 08:52:42 +0100
committer	Arthur <arthur@hoa.ro>	2016-02-25 08:52:42 +0100
commit	10269bc8c9dfe87eb213c09a44308ce64ae0c12d (patch)
tree	90bbe4d9f5b5788cc348c3883efe22deb659ded9 /tests
parent	cee0d9609f7cf860cf951ca2d838cfaacecd37d2 (diff)
parent	2925687e1e86dc113116330efd547b9db5c0f1a6 (diff)
download	Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.gz Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.zst Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.zip

diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 455f5ba7..8e1a128a 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
100	}	100	}
101		101
102	/**	102	/**
103	* Test reset_quote_tags()	103	* Test sanitize_html().
104	*/	104	*/
105	function testResetQuoteTags()	105	function testSanitizeHtml() {
106	{	106	$input = '< script src="js.js"/>';
107	$text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';	107	$input .= '< script attr>alert(\'xss\');</script>';
108	$processedText = escape($text);	108	$input .= '<style> * { display: none }</style>';
109	$reversedText = reset_quote_tags($processedText);	109	$output = escape($input);
110	$this->assertEquals($text, $reversedText);	110	$input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
		111	$output .= '<a href="#" attr="tt">link</a>';
		112	$this->assertEquals($output, sanitize_html($input));
		113	// Do not touch escaped HTML.
		114	$input = escape($input);
		115	$this->assertEquals($input, sanitize_html($input));
111	}	116	}
112	}	117	}