MyShaarli/tests/plugins/PluginMarkdownTest.php
ArthurHoaro e037610115 Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.

More info:

  * the setting is set to true by default
  * it is set to false for anyone who already have the plugin enabled
  (avoid breaking existing entries)
  * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
  * mention the setting in the plugin README
2017-02-28 19:16:54 +01:00

233 lines
7.1 KiB
PHP

<?php
/**
* PluginMarkdownTest.php
*/
require_once 'application/Utils.php';
require_once 'plugins/markdown/markdown.php';
/**
* Class PluginMarkdownTest
* Unit test for the Markdown plugin
*/
class PluginMarkdownTest extends PHPUnit_Framework_TestCase
{
/**
* @var ConfigManager instance.
*/
protected $conf;
/**
* Reset plugin path
*/
public function setUp()
{
PluginManager::$PLUGINS_PATH = 'plugins';
$this->conf = new ConfigManager('tests/utils/config/configJson');
}
/**
* Test render_linklist hook.
* Only check that there is basic markdown rendering.
*/
public function testMarkdownLinklist()
{
$markdown = '# My title' . PHP_EOL . 'Very interesting content.';
$data = array(
'links' => array(
0 => array(
'description' => $markdown,
),
),
);
$data = hook_markdown_render_linklist($data, $this->conf);
$this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>'));
$this->assertNotFalse(strpos($data['links'][0]['description'], '<p>'));
}
/**
* Test render_daily hook.
* Only check that there is basic markdown rendering.
*/
public function testMarkdownDaily()
{
$markdown = '# My title' . PHP_EOL . 'Very interesting content.';
$data = array(
// Columns data
'cols' => array(
// First, second, third.
0 => array(
// nth link
0 => array(
'formatedDescription' => $markdown,
),
),
),
);
$data = hook_markdown_render_daily($data, $this->conf);
$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>'));
$this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>'));
}
/**
* Test reverse_text2clickable().
*/
public function testReverseText2clickable()
{
$text = 'stuff http://hello.there/is=someone#here otherstuff';
$clickableText = text2clickable($text, '');
$reversedText = reverse_text2clickable($clickableText);
$this->assertEquals($text, $reversedText);
}
/**
* Test reverse_nl2br().
*/
public function testReverseNl2br()
{
$text = 'stuff' . PHP_EOL . 'otherstuff';
$processedText = nl2br($text);
$reversedText = reverse_nl2br($processedText);
$this->assertEquals($text, $reversedText);
}
/**
* Test reverse_space2nbsp().
*/
public function testReverseSpace2nbsp()
{
$text = ' stuff' . PHP_EOL . ' otherstuff and another';
$processedText = space2nbsp($text);
$reversedText = reverse_space2nbsp($processedText);
$this->assertEquals($text, $reversedText);
}
/**
* Test sanitize_html().
*/
public function testSanitizeHtml()
{
$input = '< script src="js.js"/>';
$input .= '< script attr>alert(\'xss\');</script>';
$input .= '<style> * { display: none }</style>';
$output = escape($input);
$input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>';
$output .= '<a href="#" attr="tt">link</a>';
$input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>';
$output .= '<a href="#" attr="tt">link</a>';
$this->assertEquals($output, sanitize_html($input));
// Do not touch escaped HTML.
$input = escape($input);
$this->assertEquals($input, sanitize_html($input));
}
/**
* Test the no markdown tag.
*/
public function testNoMarkdownTag()
{
$str = 'All _work_ and `no play` makes Jack a *dull* boy.';
$data = array(
'links' => array(array(
'description' => $str,
'tags' => NO_MD_TAG,
'taglist' => array(NO_MD_TAG),
))
);
$processed = hook_markdown_render_linklist($data, $this->conf);
$this->assertEquals($str, $processed['links'][0]['description']);
$processed = hook_markdown_render_feed($data, $this->conf);
$this->assertEquals($str, $processed['links'][0]['description']);
$data = array(
// Columns data
'cols' => array(
// First, second, third.
0 => array(
// nth link
0 => array(
'formatedDescription' => $str,
'tags' => NO_MD_TAG,
'taglist' => array(),
),
),
),
);
$data = hook_markdown_render_daily($data, $this->conf);
$this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
}
/**
* Test that a close value to nomarkdown is not understand as nomarkdown (previous value `.nomarkdown`).
*/
public function testNoMarkdownNotExcactlyMatching()
{
$str = 'All _work_ and `no play` makes Jack a *dull* boy.';
$data = array(
'links' => array(array(
'description' => $str,
'tags' => '.' . NO_MD_TAG,
'taglist' => array('.'. NO_MD_TAG),
))
);
$data = hook_markdown_render_feed($data, $this->conf);
$this->assertContains('<em>', $data['links'][0]['description']);
}
/**
* Test hashtag links processed with markdown.
*/
public function testMarkdownHashtagLinks()
{
$md = file_get_contents('tests/plugins/resources/markdown.md');
$md = format_description($md);
$html = file_get_contents('tests/plugins/resources/markdown.html');
$data = process_markdown($md);
$this->assertEquals($html, $data);
}
/**
* Make sure that the HTML tags are escaped.
*/
public function testMarkdownWithHtmlEscape()
{
$md = '**strong** <strong>strong</strong>';
$html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
$data = array(
'links' => array(
0 => array(
'description' => $md,
),
),
);
$data = hook_markdown_render_linklist($data, $this->conf);
$this->assertEquals($html, $data['links'][0]['description']);
}
/**
* Make sure that the HTML tags aren't escaped with the setting set to false.
*/
public function testMarkdownWithHtmlNoEscape()
{
$this->conf->set('security.markdown_escape', false);
$md = '**strong** <strong>strong</strong>';
$html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>';
$data = array(
'links' => array(
0 => array(
'description' => $md,
),
),
);
$data = hook_markdown_render_linklist($data, $this->conf);
$this->assertEquals($html, $data['links'][0]['description']);
}
}