From 2925687e1e86dc113116330efd547b9db5c0f1a6 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Fri, 19 Feb 2016 19:37:13 +0100
Subject: Markdown: don't escape content + sanitize sensible tags

Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
---
 tests/plugins/PluginMarkdownTest.php | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'tests/plugins')

diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index 455f5ba7..8e1a128a 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * Test reset_quote_tags()
+     * Test sanitize_html().
      */
-    function testResetQuoteTags()
-    {
-        $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';
-        $processedText = escape($text);
-        $reversedText = reset_quote_tags($processedText);
-        $this->assertEquals($text, $reversedText);
+    function testSanitizeHtml() {
+        $input = '< script src="js.js"/>';
+        $input .= '< script attr>alert(\'xss\');</script>';
+        $input .= '<style> * { display: none }</style>';
+        $output = escape($input);
+        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
+        $this->assertEquals($output, sanitize_html($input));
+        // Do not touch escaped HTML.
+        $input = escape($input);
+        $this->assertEquals($input, sanitize_html($input));
     }
 }
-- 
cgit v1.2.3