Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add a whitelist of protocols for URLs

Browse source 
- for Shaare
 - for markdown description links and images

Not whitelisted protocols will be replaced by `http://`
This commit is contained in:
ArthurHoaro 2017-05-25 14:52:42 +02:00
parent 61c15aa555
commit 86ceea054f
8 changed files with 151 additions and 16 deletions

11
tests/plugins/PluginMarkdownTest.php
View file

@ -26,6 +26,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
{
PluginManager::$PLUGINS_PATH = 'plugins';
$this->conf = new ConfigManager('tests/utils/config/configJson');
$this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
}
/**
@ -183,15 +184,19 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
}
/**
* Test hashtag links processed with markdown.
* Make sure that the generated HTML match the reference HTML file.
*/
public function testMarkdownHashtagLinks()
public function testMarkdownGlobalProcessDescription()
{
$md = file_get_contents('tests/plugins/resources/markdown.md');
$md = format_description($md);
$html = file_get_contents('tests/plugins/resources/markdown.html');
$data = process_markdown($md);
$data = process_markdown(
$md,
$this->conf->get('security.markdown_escape', true),
$this->conf->get('security.allowed_protocols')
);
$this->assertEquals($html, $data);
}

11
tests/plugins/resources/markdown.html
View file

@ -21,4 +21,13 @@
next #foo</code></pre>
<p>Block:</p>
<pre><code>lorem ipsum #foobar http://link.tld
#foobar http://link.tld</code></pre></div>
#foobar http://link.tld</code></pre>
<p><a href="?123456">link</a><br />
<img src="/img/train.png" alt="link" /><br />
<a href="http://test.tld/path/?query=value#hash">link</a><br />
<a href="http://test.tld/path/?query=value#hash">link</a><br />
<a href="https://test.tld/path/?query=value#hash">link</a><br />
<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
<a href="http://alert('xss')">link</a><br />
<a href="http://test.tld/path/?query=value#hash">link</a></p></div>

12
tests/plugins/resources/markdown.md
View file

@ -21,4 +21,14 @@ Block:
```
lorem ipsum #foobar http://link.tld
#foobar http://link.tld
```
```
[link](?123456)
![link](/img/train.png)
[link](test.tld/path/?query=value#hash)
[link](http://test.tld/path/?query=value#hash)
[link](https://test.tld/path/?query=value#hash)
[link](ftp://test.tld/path/?query=value#hash)
[link](magnet:test.tld/path/?query=value#hash)
[link](javascript:alert('xss'))
[link](other://test.tld/path/?query=value#hash)