p3k
/
XRay
mirror of https://github.com/aaronpk/XRay.git
1
0
Fork 0
Code Issues 0 Releases 77 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 Commits
2 Branches
259 MiB
Tree: 85b8a35212
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '85b8a35212'
${ noResults }
XRay/tests/SanitizeTest.php

154 lines
7.0 KiB
Raw Normal View History

sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
reorganize XRay classes, use p3k-http lib * removes the HTTP classes from this project and uses p3k-http library instead * reorganizes the XRay classes into a psr-4 compatible folder * moves controller autoload into -dev in preparation for turning this into a library (#17)
7 years ago
add tests for validating URL fields * fields that should be URLs will now be omitted if the value was not a URL, such as when the value is `javascript:alert()` * makes Mf2 class slightly more self-contained by duplicating the URL helper functions into it * fixes tests to not cache responses in memcache
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
fix test for img in sanitize test
7 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
sanitize HTML in the entry allow only a basic set of tags, and remove any non-mf2 classes closes #2
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
allow ul/li/ol
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
tests for sanitizing and escaping HTML use fork of php-mf2 until https://github.com/indieweb/php-mf2/pull/83 is merged
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
tests for sanitizing and escaping HTML use fork of php-mf2 until https://github.com/indieweb/php-mf2/pull/83 is merged
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
sanitize HTML in the entry allow only a basic set of tags, and remove any non-mf2 classes closes #2
8 years ago
restrict matching mf2 classes to only lowercase names see http://microformats.org/wiki/microformats2-parsing-issues#ignore_u-camelCase_properties for background
8 years ago
sanitize HTML in the entry allow only a basic set of tags, and remove any non-mf2 classes closes #2
8 years ago
tests for sanitizing and escaping HTML use fork of php-mf2 until https://github.com/indieweb/php-mf2/pull/83 is merged
8 years ago
add tests for validating URL fields * fields that should be URLs will now be omitted if the value was not a URL, such as when the value is `javascript:alert()` * makes Mf2 class slightly more self-contained by duplicating the URL helper functions into it * fixes tests to not cache responses in memcache
8 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. 

  5. class SanitizeTest extends PHPUnit_Framework_TestCase {
  6. 

  7.   private $http;
  8. 

  9.   public function setUp() {
  10.     $this->client = new Parse();
  11.     $this->client->http = new p3k\HTTP\Test(dirname(__FILE__).'/data/');
  12.     $this->client->mc = null;
  13.   }
  14. 

  15.   private function parse($params) {
  16.     $request = new Request($params);
  17.     $response = new Response();
  18.     return $this->client->parse($request, $response);
  19.   }
  20. 

  21.   public function testAllowsWhitelistedTags() {
  22.     $url = 'http://sanitize.example/entry-with-valid-tags';
  23.     $response = $this->parse(['url' => $url]);
  24. 

  25.     $body = $response->getContent();
  26.     $this->assertEquals(200, $response->getStatusCode());
  27.     $data = json_decode($body, true);
  28.     $html = $data['data']['content']['html'];
  29. 

  30.     $this->assertEquals('entry', $data['data']['type']);
  31.     $this->assertContains('This content has only valid tags.', $html); 
  32.     $this->assertContains('<a href="http://sanitize.example/example">links</a>,', $html, '<a> missing'); 
  33.     $this->assertContains('<abbr>abbreviations</abbr>,', $html, '<abbr> missing'); 
  34.     $this->assertContains('<b>bold</b>,', $html, '<b> missing'); 
  35.     $this->assertContains('<code>inline code</code>,', $html, '<code> missing'); 
  36.     $this->assertContains('<del>delete</del>,', $html, '<del> missing'); 
  37.     $this->assertContains('<em>emphasis</em>,', $html, '<em> missing'); 
  38.     $this->assertContains('<i>italics</i>,', $html, '<i> missing'); 
  39.     $this->assertContains('<img src="http://sanitize.example/example.jpg" alt="images are allowed" />', $html, '<img> missing'); 
  40.     $this->assertContains('<q>inline quote</q>,', $html, '<q> missing');
  41.     $this->assertContains('<strike>strikethrough</strike>,', $html, '<strike> missing');
  42.     $this->assertContains('<strong>strong text</strong>,', $html, '<strong> missing');
  43.     $this->assertContains('<time datetime="2016-01-01">time elements</time>', $html, '<time> missing');
  44.     $this->assertContains('<blockquote>Blockquote tags are okay</blockquote>', $html);
  45.     $this->assertContains('<pre>preformatted text is okay too', $html, '<pre> missing');
  46.     $this->assertContains('for code examples and such</pre>', $html, '<pre> missing');
  47.     $this->assertContains('<p>Paragraph tags are allowed</p>', $html, '<p> missing');
  48.     $this->assertContains('<h1>One</h1>', $html, '<h1> missing');
  49.     $this->assertContains('<h2>Two</h2>', $html, '<h2> missing');
  50.     $this->assertContains('<h3>Three</h3>', $html, '<h3> missing');
  51.     $this->assertContains('<h4>Four</h4>', $html, '<h4> missing');
  52.     $this->assertContains('<h5>Five</h5>', $html, '<h5> missing');
  53.     $this->assertContains('<h6>Six</h6>', $html, '<h6> missing');
  54.     $this->assertContains('<ul>', $html, '<ul> missing');
  55.     $this->assertContains('<li>One</li>', $html, '<li> missing');
  56.   }
  57. 

  58.   public function testRemovesUnsafeTags() {
  59.     $url = 'http://sanitize.example/entry-with-unsafe-tags';
  60.     $response = $this->parse(['url' => $url]);
  61. 

  62.     $body = $response->getContent();
  63.     $this->assertEquals(200, $response->getStatusCode());
  64.     $data = json_decode($body, true);
  65.     $html = $data['data']['content']['html'];
  66.     $text = $data['data']['content']['text'];
  67. 

  68.     $this->assertEquals('entry', $data['data']['type']);
  69.     $this->assertNotContains('<script>', $html);
  70.     $this->assertNotContains('<style>', $html);
  71.     $this->assertNotContains('visiblity', $html); // from the CSS

  72.     $this->assertNotContains('alert', $html); // from the JS

  73.     $this->assertNotContains('visiblity', $text);
  74.     $this->assertNotContains('alert', $text);
  75.   }
  76. 

  77.   public function testAllowsMF2Classes() {
  78.     $url = 'http://sanitize.example/entry-with-mf2-classes';
  79.     $response = $this->parse(['url' => $url]);
  80. 

  81.     $body = $response->getContent();
  82.     $this->assertEquals(200, $response->getStatusCode());
  83.     $data = json_decode($body, true);
  84.     $html = $data['data']['content']['html'];
  85. 

  86.     $this->assertEquals('entry', $data['data']['type']);
  87.     $this->assertContains('<h2 class="p-name">Hello World</h2>', $html);
  88.     $this->assertContains('<h3>Utility Class</h3>', $html);
  89.   }
  90. 

  91.   public function testEscapingHTMLTagsInText() {
  92.     $url = 'http://sanitize.example/html-escaping-in-text';
  93.     $response = $this->parse(['url' => $url]);
  94. 

  95.     $body = $response->getContent();
  96.     $this->assertEquals(200, $response->getStatusCode());
  97.     $data = json_decode($body, true);
  98. 

  99.     $this->assertEquals('entry', $data['data']['type']);
  100.     $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  101.   }
  102. 

  103.   public function testEscapingHTMLTagsInHTML() {
  104.     $url = 'http://sanitize.example/html-escaping-in-html';
  105.     $response = $this->parse(['url' => $url]);
  106. 

  107.     $body = $response->getContent();
  108.     $this->assertEquals(200, $response->getStatusCode());
  109.     $data = json_decode($body, true);
  110. 

  111.     $this->assertEquals('entry', $data['data']['type']);
  112.     $this->assertArrayNotHasKey('name', $data['data']);
  113.     $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  114.     $this->assertEquals('This content has some <i>HTML escaped</i> entities such as &amp; ampersand, " quote, escaped &lt;code&gt; HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
  115.   }
  116. 

  117.   public function testSanitizeJavascriptURLs() {
  118.     $url = 'http://sanitize.example/h-entry-with-javascript-urls';
  119.     $response = $this->parse(['url' => $url]);
  120. 

  121.     $body = $response->getContent();
  122.     $this->assertEquals(200, $response->getStatusCode());
  123.     $data = json_decode($body, true);
  124. 

  125.     $this->assertEquals('entry', $data['data']['type']);
  126.     $this->assertEquals('', $data['data']['author']['url']);
  127.     $this->assertArrayNotHasKey('url', $data['data']);
  128.     $this->assertArrayNotHasKey('photo', $data['data']);
  129.     $this->assertArrayNotHasKey('audio', $data['data']);
  130.     $this->assertArrayNotHasKey('video', $data['data']);
  131.     $this->assertArrayNotHasKey('syndication', $data['data']);
  132.     $this->assertArrayNotHasKey('in-reply-to', $data['data']);
  133.     $this->assertArrayNotHasKey('like-of', $data['data']);
  134.     $this->assertArrayNotHasKey('repost-of', $data['data']);
  135.     $this->assertArrayNotHasKey('bookmark-of', $data['data']);
  136.     $this->assertEquals('Author', $data['data']['author']['name']);
  137.     $this->assertEquals('', $data['data']['author']['photo']);
  138.   }
  139. 

  140.   public function testSanitizeEmailAuthorURL() {
  141.     $url = 'http://sanitize.example/h-entry-with-email-author';
  142.     $response = $this->parse(['url' => $url]);
  143. 

  144.     $body = $response->getContent();
  145.     $this->assertEquals(200, $response->getStatusCode());
  146.     $data = json_decode($body);
  147. 

  148.     $this->assertEquals('entry', $data->data->type);
  149.     $this->assertEquals('', $data->data->author->url);
  150.     $this->assertEquals('Author', $data->data->author->name);
  151.     $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->author->photo);
  152.   }
  153. 

  154. }