Markdown: don't escape content + sanitize sensible tags

Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
2016-02-19 19:37:13 +01:00 · 2016-02-19 19:37:13 +01:00 · 2925687e1e
commit 2925687e1e
parent bfec695df1
3 changed files with 58 additions and 16 deletions
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@ -100,13 +100,18 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
    }

    /**
-     * Test reset_quote_tags()
+     * Test sanitize_html().
     */
-    function testResetQuoteTags()
-    {
-        $text = '> quote1'. PHP_EOL . ' > quote2 ' . PHP_EOL . 'noquote';
-        $processedText = escape($text);
-        $reversedText = reset_quote_tags($processedText);
-        $this->assertEquals($text, $reversedText);
+    function testSanitizeHtml() {
+        $input = '< script src="js.js"/>';
+        $input .= '< script attr>alert(\'xss\');</script>';
+        $input .= '<style> * { display: none }</style>';
+        $output = escape($input);
+        $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
+        $output .= '<a href="#"  attr="tt">link</a>';
+        $this->assertEquals($output, sanitize_html($input));
+        // Do not touch escaped HTML.
+        $input = escape($input);
+        $this->assertEquals($input, sanitize_html($input));
    }
 }