154 lines
7.0 KiB

9 years ago
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. class SanitizeTest extends PHPUnit_Framework_TestCase {
  5. private $http;
  6. public function setUp() {
  7. $this->client = new Parse();
  8. $this->client->http = new p3k\HTTPTest(dirname(__FILE__).'/data/');
  9. $this->client->mc = null;
  10. }
  11. private function parse($params) {
  12. $request = new Request($params);
  13. $response = new Response();
  14. return $this->client->parse($request, $response);
  15. }
  16. public function testAllowsWhitelistedTags() {
  17. $url = 'http://sanitize.example/entry-with-valid-tags';
  18. $response = $this->parse(['url' => $url]);
  19. $body = $response->getContent();
  20. $this->assertEquals(200, $response->getStatusCode());
  21. $data = json_decode($body, true);
  22. $html = $data['data']['content']['html'];
  23. $this->assertEquals('entry', $data['data']['type']);
  24. $this->assertContains('This content has only valid tags.', $html);
  25. $this->assertContains('<a href="http://sanitize.example/example">links</a>,', $html, '<a> missing');
  26. $this->assertContains('<abbr>abbreviations</abbr>,', $html, '<abbr> missing');
  27. $this->assertContains('<b>bold</b>,', $html, '<b> missing');
  28. $this->assertContains('<code>inline code</code>,', $html, '<code> missing');
  29. $this->assertContains('<del>delete</del>,', $html, '<del> missing');
  30. $this->assertContains('<em>emphasis</em>,', $html, '<em> missing');
  31. $this->assertContains('<i>italics</i>,', $html, '<i> missing');
  32. $this->assertContains('<img alt="images are allowed" src="http://sanitize.example/example.jpg" />', $html, '<img> missing');
  33. $this->assertContains('<q>inline quote</q>,', $html, '<q> missing');
  34. $this->assertContains('<strike>strikethrough</strike>,', $html, '<strike> missing');
  35. $this->assertContains('<strong>strong text</strong>,', $html, '<strong> missing');
  36. $this->assertContains('<time datetime="2016-01-01">time elements</time>', $html, '<time> missing');
  37. $this->assertContains('<blockquote>Blockquote tags are okay</blockquote>', $html);
  38. $this->assertContains('<pre>preformatted text is okay too', $html, '<pre> missing');
  39. $this->assertContains('for code examples and such</pre>', $html, '<pre> missing');
  40. $this->assertContains('<p>Paragraph tags are allowed</p>', $html, '<p> missing');
  41. $this->assertContains('<h1>One</h1>', $html, '<h1> missing');
  42. $this->assertContains('<h2>Two</h2>', $html, '<h2> missing');
  43. $this->assertContains('<h3>Three</h3>', $html, '<h3> missing');
  44. $this->assertContains('<h4>Four</h4>', $html, '<h4> missing');
  45. $this->assertContains('<h5>Five</h5>', $html, '<h5> missing');
  46. $this->assertContains('<h6>Six</h6>', $html, '<h6> missing');
  47. $this->assertContains('<ul>', $html, '<ul> missing');
  48. $this->assertContains('<li>One</li>', $html, '<li> missing');
  49. }
  50. public function testRemovesUnsafeTags() {
  51. $url = 'http://sanitize.example/entry-with-unsafe-tags';
  52. $response = $this->parse(['url' => $url]);
  53. $body = $response->getContent();
  54. $this->assertEquals(200, $response->getStatusCode());
  55. $data = json_decode($body, true);
  56. $html = $data['data']['content']['html'];
  57. $text = $data['data']['content']['text'];
  58. $this->assertEquals('entry', $data['data']['type']);
  59. $this->assertNotContains('<script>', $html);
  60. $this->assertNotContains('<style>', $html);
  61. $this->assertNotContains('visiblity', $html); // from the CSS
  62. $this->assertNotContains('alert', $html); // from the JS
  63. $this->assertNotContains('visiblity', $text);
  64. $this->assertNotContains('alert', $text);
  65. }
  66. public function testAllowsMF2Classes() {
  67. $url = 'http://sanitize.example/entry-with-mf2-classes';
  68. $response = $this->parse(['url' => $url]);
  69. $body = $response->getContent();
  70. $this->assertEquals(200, $response->getStatusCode());
  71. $data = json_decode($body, true);
  72. $html = $data['data']['content']['html'];
  73. $this->assertEquals('entry', $data['data']['type']);
  74. $this->assertContains('<h2 class="p-name">Hello World</h2>', $html);
  75. $this->assertContains('<h3>Utility Class</h3>', $html);
  76. }
  77. public function testEscapingHTMLTagsInText() {
  78. $url = 'http://sanitize.example/html-escaping-in-text';
  79. $response = $this->parse(['url' => $url]);
  80. $body = $response->getContent();
  81. $this->assertEquals(200, $response->getStatusCode());
  82. $data = json_decode($body, true);
  83. $this->assertEquals('entry', $data['data']['type']);
  84. $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  85. }
  86. public function testEscapingHTMLTagsInHTML() {
  87. $url = 'http://sanitize.example/html-escaping-in-html';
  88. $response = $this->parse(['url' => $url]);
  89. $body = $response->getContent();
  90. $this->assertEquals(200, $response->getStatusCode());
  91. $data = json_decode($body, true);
  92. $this->assertEquals('entry', $data['data']['type']);
  93. $this->assertArrayNotHasKey('name', $data['data']);
  94. $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  95. $this->assertEquals('This content has some <i>HTML escaped</i> entities such as &amp; ampersand, " quote, escaped &lt;code&gt; HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
  96. }
  97. public function testSanitizeJavascriptURLs() {
  98. $url = 'http://sanitize.example/h-entry-with-javascript-urls';
  99. $response = $this->parse(['url' => $url]);
  100. $body = $response->getContent();
  101. $this->assertEquals(200, $response->getStatusCode());
  102. $data = json_decode($body, true);
  103. $this->assertEquals('entry', $data['data']['type']);
  104. $this->assertEquals('', $data['data']['author']['url']);
  105. $this->assertArrayNotHasKey('url', $data['data']);
  106. $this->assertArrayNotHasKey('photo', $data['data']);
  107. $this->assertArrayNotHasKey('audio', $data['data']);
  108. $this->assertArrayNotHasKey('video', $data['data']);
  109. $this->assertArrayNotHasKey('syndication', $data['data']);
  110. $this->assertArrayNotHasKey('in-reply-to', $data['data']);
  111. $this->assertArrayNotHasKey('like-of', $data['data']);
  112. $this->assertArrayNotHasKey('repost-of', $data['data']);
  113. $this->assertArrayNotHasKey('bookmark-of', $data['data']);
  114. $this->assertEquals('Author', $data['data']['author']['name']);
  115. $this->assertEquals('', $data['data']['author']['photo']);
  116. }
  117. public function testSanitizeEmailAuthorURL() {
  118. $url = 'http://sanitize.example/h-entry-with-email-author';
  119. $response = $this->parse(['url' => $url]);
  120. $body = $response->getContent();
  121. $this->assertEquals(200, $response->getStatusCode());
  122. $data = json_decode($body);
  123. $this->assertEquals('entry', $data->data->type);
  124. $this->assertEquals('', $data->data->author->url);
  125. $this->assertEquals('Author', $data->data->author->name);
  126. $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->author->photo);
  127. }
  128. }