Add markdown_escape setting

This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
author: ArthurHoaro <arthur@hoa.ro> 2017-02-27 19:45:55 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2017-03-04 09:38:12 +0100
commit: 9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree: 5950eea367714b54cb24cdfb57963adf85a907e4 /tests
parent: 63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
download: Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip
3 files changed, 119 insertions, 9 deletions
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php
index 4948fe52..17d1ba81 100644
--- a/tests/Updater/UpdaterTest.php
+++ b/tests/Updater/UpdaterTest.php
@@ -385,4 +385,69 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
        $this->assertTrue($updater->updateMethodDatastoreIds());
        $this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));
    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin enabled
+     * => setting markdown_escape set to false.
+     */
+    public function testEscapeMarkdownSettingToFalse()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', ['markdown']);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with markdown plugin disabled
+     * => setting markdown_escape set to true.
+     */
+    public function testEscapeMarkdownSettingToTrue()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('general.enabled_plugins', []);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+        // reload from file
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoEnabled()
+    {
+        $sandboxConf = 'sandbox/config';
+        copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
+        $this->conf = new ConfigManager($sandboxConf);
+        $this->conf->set('security.markdown_escape', true);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertTrue($this->conf->get('security.markdown_escape'));
+    }
+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
+     */
+    public function testEscapeMarkdownSettingNothingToDoDisabled()
+    {
+        $this->conf->set('security.markdown_escape', false);
+        $updater = new Updater([], [], $this->conf, true);
+        $this->assertTrue($updater->updateMethodEscapeMarkdown());
+        $this->assertFalse($this->conf->get('security.markdown_escape'));
+    }
 }
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 17ef2280..f1e1acf8 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php';
 class PluginMarkdownTest extends PHPUnit_Framework_TestCase
 {
    /**
+     * @var ConfigManager instance.
+     */
+    protected $conf;
+    /**
     * Reset plugin path
     */
    function setUp()
    {
        PluginManager::$PLUGINS_PATH = 'plugins';
+        $this->conf = new ConfigManager('tests/utils/config/configJson');
    }
    /**
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_linklist($data);
+        $data = hook_markdown_render_linklist($data, $this->conf);
        $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));
        $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));
    }
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_daily($data);
+        $data = hook_markdown_render_daily($data, $this->conf);
        $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));
        $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));
    }
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
        $output = escape($input);
        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
        $output .= '<a href="#"  attr="tt">link</a>';
+        $input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
        $this->assertEquals($output, sanitize_html($input));
        // Do not touch escaped HTML.
        $input = escape($input);
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ))
        );
-        $processed = hook_markdown_render_linklist($data);
+        $processed = hook_markdown_render_linklist($data, $this->conf);
        $this->assertEquals($str, $processed['links'][0]['description']);
-        $processed = hook_markdown_render_feed($data);
+        $processed = hook_markdown_render_feed($data, $this->conf);
        $this->assertEquals($str, $processed['links'][0]['description']);
        $data = array(
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ),
        );
-        $data = hook_markdown_render_daily($data);
+        $data = hook_markdown_render_daily($data, $this->conf);
        $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
    }
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
            ))
        );
-        $data = hook_markdown_render_feed($data);
+        $data = hook_markdown_render_feed($data, $this->conf);
        $this->assertContains('<em>', $data['links'][0]['description']);
    }
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
        $data = process_markdown($md);
        $this->assertEquals($html, $data);
    }
+    /**
+     * Make sure that the HTML tags are escaped.
+     */
+    public function testMarkdownWithHtmlEscape()
+    {
+        $md = '**strong** <strong>strong</strong>';
+        $html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
+        $data = array(
+            'links' => array(
+                0 => array(
+                    'description' => $md,
+                ),
+            ),
+        );
+        $data = hook_markdown_render_linklist($data, $this->conf);
+        $this->assertEquals($html, $data['links'][0]['description']);
+    }
+    /**
+     * Make sure that the HTML tags aren't escaped with the setting set to false.
+     */
+    public function testMarkdownWithHtmlNoEscape()
+    {
+        $this->conf->set('security.markdown_escape', false);
+        $md = '**strong** <strong>strong</strong>';
+        $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
+        $data = array(
+            'links' => array(
+                0 => array(
+                    'description' => $md,
+                ),
+            ),
+        );
+        $data = hook_markdown_render_linklist($data, $this->conf);
+        $this->assertEquals($html, $data['links'][0]['description']);
+    }
 }
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html
index c0fbe7f4..07a5a32e 100644
--- a/tests/plugins/resources/markdown.html
+++ b/tests/plugins/resources/markdown.html
@@ -12,11 +12,11 @@
 <li><a href="http://link.tld">two</a></li>
 <li><a href="http://link.tld">three</a></li>
 <li><a href="http://link.tld">four</a></li>
-<li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li>
+<li>foo &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt;</li>
 </ol></li>
 </ol>
-<p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p>
+<p>&lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; foo <code>lol #foo</code> &lt;a href=&quot;?addtag=bar&quot; title=&quot;Hashtag bar&quot;&gt;#bar&lt;/a&gt;</p>
-<p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p>
+<p>fsdfs <a href="http://link.tld">http://link.tld</a> &lt;a href=&quot;?addtag=foobar&quot; title=&quot;Hashtag foobar&quot;&gt;#foobar&lt;/a&gt; <code>http://link.tld</code></p>
 <pre><code>http://link.tld #foobar
 next #foo</code></pre>
 <p>Block:</p>
author	ArthurHoaro <arthur@hoa.ro>	2017-02-27 19:45:55 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2017-03-04 09:38:12 +0100
commit	9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree	5950eea367714b54cb24cdfb57963adf85a907e4 /tests
parent	63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
download	Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip

diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index 4948fe52..17d1ba81 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php
@@ -385,4 +385,69 @@ $GLOBALS[\'privateLinkByDefault\'] = true;';
385	$this->assertTrue($updater->updateMethodDatastoreIds());	385	$this->assertTrue($updater->updateMethodDatastoreIds());
386	$this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));	386	$this->assertEquals($checksum, hash_file('sha1', self::$testDatastore));
387	}	387	}
		388
		389	/**
		390	* Test updateMethodEscapeMarkdown with markdown plugin enabled
		391	* => setting markdown_escape set to false.
		392	*/
		393	public function testEscapeMarkdownSettingToFalse()
		394	{
		395	$sandboxConf = 'sandbox/config';
		396	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		397	$this->conf = new ConfigManager($sandboxConf);
		398
		399	$this->conf->set('general.enabled_plugins', ['markdown']);
		400	$updater = new Updater([], [], $this->conf, true);
		401	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		402	$this->assertFalse($this->conf->get('security.markdown_escape'));
		403
		404	// reload from file
		405	$this->conf = new ConfigManager($sandboxConf);
		406	$this->assertFalse($this->conf->get('security.markdown_escape'));
		407	}
		408
		409	/**
		410	* Test updateMethodEscapeMarkdown with markdown plugin disabled
		411	* => setting markdown_escape set to true.
		412	*/
		413	public function testEscapeMarkdownSettingToTrue()
		414	{
		415	$sandboxConf = 'sandbox/config';
		416	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		417	$this->conf = new ConfigManager($sandboxConf);
		418
		419	$this->conf->set('general.enabled_plugins', []);
		420	$updater = new Updater([], [], $this->conf, true);
		421	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		422	$this->assertTrue($this->conf->get('security.markdown_escape'));
		423
		424	// reload from file
		425	$this->conf = new ConfigManager($sandboxConf);
		426	$this->assertTrue($this->conf->get('security.markdown_escape'));
		427	}
		428
		429	/**
		430	* Test updateMethodEscapeMarkdown with nothing to do (setting already enabled)
		431	*/
		432	public function testEscapeMarkdownSettingNothingToDoEnabled()
		433	{
		434	$sandboxConf = 'sandbox/config';
		435	copy(self::$configFile . '.json.php', $sandboxConf . '.json.php');
		436	$this->conf = new ConfigManager($sandboxConf);
		437	$this->conf->set('security.markdown_escape', true);
		438	$updater = new Updater([], [], $this->conf, true);
		439	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		440	$this->assertTrue($this->conf->get('security.markdown_escape'));
		441	}
		442
		443	/**
		444	* Test updateMethodEscapeMarkdown with nothing to do (setting already disabled)
		445	*/
		446	public function testEscapeMarkdownSettingNothingToDoDisabled()
		447	{
		448	$this->conf->set('security.markdown_escape', false);
		449	$updater = new Updater([], [], $this->conf, true);
		450	$this->assertTrue($updater->updateMethodEscapeMarkdown());
		451	$this->assertFalse($this->conf->get('security.markdown_escape'));
		452	}
388	}	453	}


diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 17ef2280..f1e1acf8 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php';
14	class PluginMarkdownTest extends PHPUnit_Framework_TestCase	14	class PluginMarkdownTest extends PHPUnit_Framework_TestCase
15	{	15	{
16	/**	16	/**
		17	* @var ConfigManager instance.
		18	*/
		19	protected $conf;
		20
		21	/**
17	* Reset plugin path	22	* Reset plugin path
18	*/	23	*/
19	function setUp()	24	function setUp()
20	{	25	{
21	PluginManager::$PLUGINS_PATH = 'plugins';	26	PluginManager::$PLUGINS_PATH = 'plugins';
		27	$this->conf = new ConfigManager('tests/utils/config/configJson');
22	}	28	}
23		29
24	/**	30	/**
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
36	),	42	),
37	);	43	);
38		44
39	$data = hook_markdown_render_linklist($data);	45	$data = hook_markdown_render_linklist($data, $this->conf);
40	$this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));	46	$this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));
41	$this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));	47	$this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));
42	}	48	}
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
61	),	67	),
62	);	68	);
63		69
64	$data = hook_markdown_render_daily($data);	70	$data = hook_markdown_render_daily($data, $this->conf);
65	$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));	71	$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));
66	$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));	72	$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));
67	}	73	}
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
110	$output = escape($input);	116	$output = escape($input);
111	$input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';	117	$input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
112	$output .= '<a href="#" attr="tt">link</a>';	118	$output .= '<a href="#" attr="tt">link</a>';
		119	$input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>';
		120	$output .= '<a href="#" attr="tt">link</a>';
113	$this->assertEquals($output, sanitize_html($input));	121	$this->assertEquals($output, sanitize_html($input));
114	// Do not touch escaped HTML.	122	// Do not touch escaped HTML.
115	$input = escape($input);	123	$input = escape($input);
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
130	))	138	))
131	);	139	);
132		140
133	$processed = hook_markdown_render_linklist($data);	141	$processed = hook_markdown_render_linklist($data, $this->conf);
134	$this->assertEquals($str, $processed['links'][0]['description']);	142	$this->assertEquals($str, $processed['links'][0]['description']);
135		143
136	$processed = hook_markdown_render_feed($data);	144	$processed = hook_markdown_render_feed($data, $this->conf);
137	$this->assertEquals($str, $processed['links'][0]['description']);	145	$this->assertEquals($str, $processed['links'][0]['description']);
138		146
139	$data = array(	147	$data = array(
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
151	),	159	),
152	);	160	);
153		161
154	$data = hook_markdown_render_daily($data);	162	$data = hook_markdown_render_daily($data, $this->conf);
155	$this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);	163	$this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
156	}	164	}
157		165
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
169	))	177	))
170	);	178	);
171		179
172	$data = hook_markdown_render_feed($data);	180	$data = hook_markdown_render_feed($data, $this->conf);
173	$this->assertContains('<em>', $data['links'][0]['description']);	181	$this->assertContains('<em>', $data['links'][0]['description']);
174	}	182	}
175		183
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
185	$data = process_markdown($md);	193	$data = process_markdown($md);
186	$this->assertEquals($html, $data);	194	$this->assertEquals($html, $data);
187	}	195	}
		196
		197	/**
		198	* Make sure that the HTML tags are escaped.
		199	*/
		200	public function testMarkdownWithHtmlEscape()
		201	{
		202	$md = 'strong <strong>strong</strong>';
		203	$html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
		204	$data = array(
		205	'links' => array(
		206	0 => array(
		207	'description' => $md,
		208	),
		209	),
		210	);
		211	$data = hook_markdown_render_linklist($data, $this->conf);
		212	$this->assertEquals($html, $data['links'][0]['description']);
		213	}
		214
		215	/**
		216	* Make sure that the HTML tags aren't escaped with the setting set to false.
		217	*/
		218	public function testMarkdownWithHtmlNoEscape()
		219	{
		220	$this->conf->set('security.markdown_escape', false);
		221	$md = 'strong <strong>strong</strong>';
		222	$html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
		223	$data = array(
		224	'links' => array(
		225	0 => array(
		226	'description' => $md,
		227	),
		228	),
		229	);
		230	$data = hook_markdown_render_linklist($data, $this->conf);
		231	$this->assertEquals($html, $data['links'][0]['description']);
		232	}
188	}	233	}


diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html index c0fbe7f4..07a5a32e 100644 --- a/tests/plugins/resources/markdown.html +++ b/tests/plugins/resources/markdown.html
@@ -12,11 +12,11 @@
12	<li><a href="http://link.tld">two</a></li>	12	<li><a href="http://link.tld">two</a></li>
13	<li><a href="http://link.tld">three</a></li>	13	<li><a href="http://link.tld">three</a></li>
14	<li><a href="http://link.tld">four</a></li>	14	<li><a href="http://link.tld">four</a></li>
15	<li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li>	15	<li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li>
16	</ol></li>	16	</ol></li>
17	</ol>	17	</ol>
18	<p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p>	18	<p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p>
19	<p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p>	19	<p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p>
20	<pre><code>http://link.tld #foobar	20	<pre><code>http://link.tld #foobar
21	next #foo</code></pre>	21	next #foo</code></pre>
22	<p>Block:</p>	22	<p>Block:</p>