p3k
/
XRay
mirror of https://github.com/aaronpk/XRay.git
1
0
Fork 0
Code Issues 0 Releases 75 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
325 Commits
2 Branches
46 MiB
Tree: v1.12.0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.12.0'
${ noResults }
XRay/tests/SanitizeTest.php

440 lines
20 KiB
Raw Permalink Normal View History

sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
Update all tests to support phpunit9
2 years ago
add failing test for `p-content` containing an `u-photo`
6 years ago
adds a bunch of broken tests for #52
6 years ago
Update all tests to support phpunit9
2 years ago
fix checking for empty post content XRay now looks for images inside the HTML and does not consider those empty posts
4 years ago
Update all tests to support phpunit9
2 years ago
fix whitespace handling for br tags in html
6 years ago
sanitize HTML sanitize the HTML returned in the content property. allows a common set of HTML tags. for #2
8 years ago
 
  1. <?php
  2. use Symfony\Component\HttpFoundation\Request;
  3. use Symfony\Component\HttpFoundation\Response;
  4. 

  5. class SanitizeTest extends PHPUnit\Framework\TestCase
  6. {
  7. 

  8.     private $http;
  9. 

  10.     public function setUp(): void
  11.     {
  12.         $this->client = new Parse();
  13.         $this->client->http = new p3k\HTTP\Test(dirname(__FILE__).'/data/');
  14.         $this->client->mc = null;
  15.     }
  16. 

  17.     private function parse($params)
  18.     {
  19.         $request = new Request($params);
  20.         $response = new Response();
  21.         return $this->client->parse($request, $response);
  22.     }
  23. 

  24.     public function testAllowsWhitelistedTags()
  25.     {
  26.         $url = 'http://sanitize.example/entry-with-valid-tags';
  27.         $response = $this->parse(['url' => $url]);
  28. 

  29.         $body = $response->getContent();
  30.         $this->assertEquals(200, $response->getStatusCode());
  31.         $data = json_decode($body, true);
  32.         $html = $data['data']['content']['html'];
  33. 

  34.         $this->assertEquals('entry', $data['data']['type']);
  35.         $this->assertStringContainsString('This content has only valid tags.', $html);
  36.         $this->assertStringContainsString('<a href="http://sanitize.example/example">links</a>,', $html, '<a> missing');
  37.         $this->assertStringContainsString('<abbr>abbreviations</abbr>,', $html, '<abbr> missing');
  38.         $this->assertStringContainsString('<b>bold</b>,', $html, '<b> missing');
  39.         $this->assertStringContainsString('<code>inline code</code>,', $html, '<code> missing');
  40.         $this->assertStringContainsString('<del>delete</del>,', $html, '<del> missing');
  41.         $this->assertStringContainsString('<em>emphasis</em>,', $html, '<em> missing');
  42.         $this->assertStringContainsString('<i>italics</i>,', $html, '<i> missing');
  43.         $this->assertStringContainsString('<img src="http://sanitize.example/example.jpg" alt="images are allowed" />', $html, '<img> missing');
  44.         $this->assertStringContainsString('<q>inline quote</q>,', $html, '<q> missing');
  45.         $this->assertStringContainsString('<strike>strikethrough</strike>,', $html, '<strike> missing');
  46.         $this->assertStringContainsString('<strong>strong text</strong>,', $html, '<strong> missing');
  47.         $this->assertStringContainsString('<time datetime="2016-01-01">time elements</time>', $html, '<time> missing');
  48.         $this->assertStringContainsString('<blockquote>Blockquote tags are okay</blockquote>', $html);
  49.         $this->assertStringContainsString('<pre>preformatted text is okay too', $html, '<pre> missing');
  50.         $this->assertStringContainsString('for code examples and such</pre>', $html, '<pre> missing');
  51.         $this->assertStringContainsString('<p>Paragraph tags are allowed</p>', $html, '<p> missing');
  52.         $this->assertStringContainsString('<h1>One</h1>', $html, '<h1> missing');
  53.         $this->assertStringContainsString('<h2>Two</h2>', $html, '<h2> missing');
  54.         $this->assertStringContainsString('<h3>Three</h3>', $html, '<h3> missing');
  55.         $this->assertStringContainsString('<h4>Four</h4>', $html, '<h4> missing');
  56.         $this->assertStringContainsString('<h5>Five</h5>', $html, '<h5> missing');
  57.         $this->assertStringContainsString('<h6>Six</h6>', $html, '<h6> missing');
  58.         $this->assertStringContainsString('<ul>', $html, '<ul> missing');
  59.         $this->assertStringContainsString('<li>One</li>', $html, '<li> missing');
  60.         $this->assertStringContainsString('<p>We should allow<br />break<br />tags too</p>', $html, '<br> missing');
  61.     }
  62. 

  63.     public function testRemovesUnsafeTags()
  64.     {
  65.         $url = 'http://sanitize.example/entry-with-unsafe-tags';
  66.         $response = $this->parse(['url' => $url]);
  67. 

  68.         $body = $response->getContent();
  69.         $this->assertEquals(200, $response->getStatusCode());
  70.         $data = json_decode($body, true);
  71.         $html = $data['data']['content']['html'];
  72.         $text = $data['data']['content']['text'];
  73. 

  74.         $this->assertEquals('entry', $data['data']['type']);
  75.         $this->assertStringNotContainsString('<script>', $html);
  76.         $this->assertStringNotContainsString('<style>', $html);
  77.         $this->assertStringNotContainsString('visiblity', $html); // from the CSS

  78.         $this->assertStringNotContainsString('alert', $html); // from the JS

  79.         $this->assertStringNotContainsString('visiblity', $text);
  80.         $this->assertStringNotContainsString('alert', $text);
  81.     }
  82. 

  83.     public function testAllowsMF2Classes()
  84.     {
  85.         $url = 'http://sanitize.example/entry-with-mf2-classes';
  86.         $response = $this->parse(['url' => $url]);
  87. 

  88.         $body = $response->getContent();
  89.         $this->assertEquals(200, $response->getStatusCode());
  90.         $data = json_decode($body, true);
  91.         $html = $data['data']['content']['html'];
  92. 

  93.         $this->assertEquals('entry', $data['data']['type']);
  94.         $this->assertStringContainsString('<h2 class="p-name">Hello World</h2>', $html);
  95.         $this->assertStringContainsString('<h3>Utility Class</h3>', $html);
  96.     }
  97. 

  98.     public function testEscapingHTMLTagsInText()
  99.     {
  100.         $url = 'http://sanitize.example/html-escaping-in-text';
  101.         $response = $this->parse(['url' => $url]);
  102. 

  103.         $body = $response->getContent();
  104.         $this->assertEquals(200, $response->getStatusCode());
  105.         $data = json_decode($body, true);
  106. 

  107.         $this->assertEquals('entry', $data['data']['type']);
  108.         $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  109.     }
  110. 

  111.     public function testEscapingHTMLTagsInHTML()
  112.     {
  113.         $url = 'http://sanitize.example/html-escaping-in-html';
  114.         $response = $this->parse(['url' => $url]);
  115. 

  116.         $body = $response->getContent();
  117.         $this->assertEquals(200, $response->getStatusCode());
  118.         $data = json_decode($body, true);
  119. 

  120.         $this->assertEquals('entry', $data['data']['type']);
  121.         $this->assertArrayNotHasKey('name', $data['data']);
  122.         $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
  123.         $this->assertEquals('This content has some <i>HTML escaped</i> entities such as &amp; ampersand, " quote, escaped &lt;code&gt; HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
  124.     }
  125. 

  126.     public function testAllowIframeVideo()
  127.     {
  128.         $url = 'http://sanitize.example/entry-with-iframe-video';
  129.         $response = $this->parse(['url' => $url]);
  130.         $body = $response->getContent();
  131.         $data = json_decode($body, true);
  132.         $html = $data['data']['content']['html'];
  133.         $this->assertStringNotContainsString('<iframe', $html);
  134. 

  135.         $response = $this->parse(['url' => $url, 'allow-iframe-video' => 'true']);
  136.         $body = $response->getContent();
  137.         $data = json_decode($body, true);
  138.         $html = $data['data']['content']['html'];
  139.         $this->assertStringContainsString('youtube.com', $html);
  140.         $this->assertStringNotContainsString('https://attack-domain.com', $html);
  141.         $this->assertStringNotContainsString('<iframe width="580" height="345"', $html);
  142.     }
  143. 

  144.     public function testSanitizeJavascriptURLs()
  145.     {
  146.         $url = 'http://sanitize.example/h-entry-with-javascript-urls';
  147.         $response = $this->parse(['url' => $url]);
  148. 

  149.         $body = $response->getContent();
  150.         $this->assertEquals(200, $response->getStatusCode());
  151.         $data = json_decode($body, true);
  152. 

  153.         $this->assertEquals('entry', $data['data']['type']);
  154.         $this->assertEquals('', $data['data']['author']['url']);
  155.         $this->assertArrayNotHasKey('url', $data['data']);
  156.         $this->assertArrayNotHasKey('photo', $data['data']);
  157.         $this->assertArrayNotHasKey('audio', $data['data']);
  158.         $this->assertArrayNotHasKey('video', $data['data']);
  159.         $this->assertArrayNotHasKey('syndication', $data['data']);
  160.         $this->assertArrayNotHasKey('in-reply-to', $data['data']);
  161.         $this->assertArrayNotHasKey('like-of', $data['data']);
  162.         $this->assertArrayNotHasKey('repost-of', $data['data']);
  163.         $this->assertArrayNotHasKey('bookmark-of', $data['data']);
  164.         $this->assertEquals('Author', $data['data']['author']['name']);
  165.         $this->assertEquals('', $data['data']['author']['photo']);
  166.     }
  167. 

  168.     public function testSanitizeEmailAuthorURL()
  169.     {
  170.         $url = 'http://sanitize.example/h-entry-with-email-author';
  171.         $response = $this->parse(['url' => $url]);
  172. 

  173.         $body = $response->getContent();
  174.         $this->assertEquals(200, $response->getStatusCode());
  175.         $data = json_decode($body);
  176. 

  177.         $this->assertEquals('entry', $data->data->type);
  178.         $this->assertEquals('', $data->data->author->url);
  179.         $this->assertEquals('Author', $data->data->author->name);
  180.         $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->author->photo);
  181.     }
  182. 

  183.     public function testPhotoInContentNoAlt()
  184.     {
  185.         // https://github.com/aaronpk/XRay/issues/52

  186. 

  187.         $url = 'http://sanitize.example/photo-in-content';
  188.         $response = $this->parse(['url' => $url]);
  189. 

  190.         $body = $response->getContent();
  191.         $this->assertEquals(200, $response->getStatusCode());
  192.         $data = json_decode($body);
  193. 

  194.         $this->assertObjectNotHasAttribute('name', $data->data);
  195.         $this->assertEquals('http://target.example.com/photo.jpg', $data->data->photo[0]);
  196.         $this->assertEquals('This is a photo post with an img tag inside the content.', $data->data->content->text);
  197.         $this->assertEquals('This is a photo post with an <code>img</code> tag inside the content.', $data->data->content->html);
  198.     }
  199. 

  200.     /*
  201.     // Commented out until #56 is resolved

  202.     // https://github.com/aaronpk/XRay/issues/56

  203.     public function testPhotoInTextContentNoAlt() {
  204.     $url = 'http://sanitize.example/photo-in-text-content';
  205.     $response = $this->parse(['url' => $url]);
  206. 

  207.     $body = $response->getContent();
  208.     $this->assertEquals(200, $response->getStatusCode());
  209.     $data = json_decode($body);
  210. 

  211.     $this->assertObjectNotHasAttribute('name', $data->data);
  212.     $this->assertEquals('http://target.example.com/photo.jpg', $data->data->photo[0]);
  213.     $this->assertEquals('This is a photo post with an img tag inside the content.', $data->data->content->text);
  214.     $this->assertEquals('This is a photo post with an <code>img</code> tag inside the content.', $data->data->content->html);
  215.     }
  216.     */
  217. 

  218.     public function testRelativePhotoInContent()
  219.     {
  220.         $url = 'http://sanitize.example/photo-in-content-relative';
  221.         $response = $this->parse(['url' => $url]);
  222. 

  223.         $body = $response->getContent();
  224.         $this->assertEquals(200, $response->getStatusCode());
  225.         $data = json_decode($body);
  226. 

  227.         $this->assertStringContainsString('http://sanitize.example/photo1.jpg', $data->data->content->html);
  228.     }
  229. 

  230.     public function testRelativePhotoProperty()
  231.     {
  232.         $url = 'http://sanitize.example/photo-relative';
  233.         $response = $this->parse(['url' => $url]);
  234. 

  235.         $body = $response->getContent();
  236.         $this->assertEquals(200, $response->getStatusCode());
  237.         $data = json_decode($body);
  238. 

  239.         $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->photo[0]);
  240.     }
  241. 

  242.     public function testPhotoInContentEmptyAltAttribute()
  243.     {
  244.         // https://github.com/aaronpk/XRay/issues/52

  245. 

  246.         $url = 'http://sanitize.example/photo-in-content-empty-alt';
  247.         $response = $this->parse(['url' => $url]);
  248. 

  249.         $body = $response->getContent();
  250.         $this->assertEquals(200, $response->getStatusCode());
  251.         $data = json_decode($body);
  252. 

  253.         $this->assertObjectNotHasAttribute('name', $data->data);
  254.         $this->assertEquals('http://target.example.com/photo.jpg', $data->data->photo[0]);
  255.         $this->assertEquals('This is a photo post with an img tag inside the content.', $data->data->content->text);
  256.         $this->assertEquals('This is a photo post with an <code>img</code> tag inside the content.', $data->data->content->html);
  257.     }
  258. 

  259.     public function testPhotoInContentWithAlt()
  260.     {
  261.         // https://github.com/aaronpk/XRay/issues/52

  262. 

  263.         $url = 'http://sanitize.example/photo-in-content-with-alt';
  264.         $response = $this->parse(['url' => $url]);
  265. 

  266.         $body = $response->getContent();
  267.         $this->assertEquals(200, $response->getStatusCode());
  268.         $data = json_decode($body);
  269. 

  270.         $this->assertObjectNotHasAttribute('name', $data->data);
  271.         $this->assertEquals('http://target.example.com/photo.jpg', $data->data->photo[0]);
  272.         $this->assertEquals('This is a photo post with an img tag inside the content.', $data->data->content->text);
  273.         $this->assertEquals('This is a photo post with an <code>img</code> tag inside the content.', $data->data->content->html);
  274.     }
  275. 

  276.     public function testPhotoInContentWithNameAndNoText()
  277.     {
  278.         $url = 'http://sanitize.example/cleverdevil';
  279.         $response = $this->parse(['url' => $url]);
  280. 

  281.         $body = $response->getContent();
  282.         $this->assertEquals(200, $response->getStatusCode());
  283.         $data = json_decode($body);
  284. 

  285.         $this->assertObjectHasAttribute('name', $data->data);
  286.         $this->assertEquals('Oh, how well they know me! 🥃', $data->data->name);
  287.         $this->assertObjectNotHasAttribute('content', $data->data);
  288.         $this->assertEquals('https://cleverdevil.io/file/5bf2fa91c3d4c592f9978200923cb56e/thumb.jpg', $data->data->photo[0]);
  289.     }
  290. 

  291.     public function testPhotoWithDupeNameAndAlt1()
  292.     {
  293.         // https://github.com/aaronpk/XRay/issues/57

  294.         $url = 'http://sanitize.example/photo-with-dupe-name-alt';
  295.         $response = $this->parse(['url' => $url]);
  296. 

  297.         $body = $response->getContent();
  298.         $this->assertEquals(200, $response->getStatusCode());
  299.         $data = json_decode($body);
  300. 

  301.         $this->assertObjectHasAttribute('name', $data->data);
  302.         $this->assertEquals('Photo caption', $data->data->name);
  303.         $this->assertObjectNotHasAttribute('content', $data->data);
  304.         $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->photo[0]);
  305.     }
  306. 

  307.     public function testPhotoWithDupeNameAndAlt2()
  308.     {
  309.         // This is simliar to adactio's markup

  310.         // https://adactio.com/notes/13301

  311.         $url = 'http://sanitize.example/photo-with-dupe-name-alt-2';
  312.         $response = $this->parse(['url' => $url]);
  313. 

  314.         $body = $response->getContent();
  315.         $this->assertEquals(200, $response->getStatusCode());
  316.         $data = json_decode($body);
  317. 

  318.         $this->assertObjectHasAttribute('content', $data->data);
  319.         $this->assertEquals('Photo caption', $data->data->content->text);
  320.         $this->assertObjectNotHasAttribute('name', $data->data);
  321.         $this->assertEquals('http://sanitize.example/photo.jpg', $data->data->photo[0]);
  322.     }
  323. 

  324.     public function testPhotoInContentWithNoText()
  325.     {
  326.         $url = 'http://sanitize.example/photo-in-content-with-alt-no-text';
  327.         $response = $this->parse(['url' => $url]);
  328. 

  329.         $body = $response->getContent();
  330.         $this->assertEquals(200, $response->getStatusCode());
  331.         $data = json_decode($body, true);
  332. 

  333.         $this->assertEquals('<p><img src="http://sanitize.example/photo.jpg" alt="test" /></p>', $data['data']['content']['html']);
  334.         $this->assertEquals('', $data['data']['content']['text']);
  335.     }
  336. 

  337.     public function testPhotoInContentWithPNoAlt()
  338.     {
  339.         $url = 'http://sanitize.example/photo-in-content-with-p-no-alt';
  340.         $response = $this->parse(['url' => $url]);
  341. 

  342.         $body = $response->getContent();
  343.         $this->assertEquals(200, $response->getStatusCode());
  344.         $data = json_decode($body, true);
  345. 

  346.         $this->assertEquals('<p><img src="http://sanitize.example/photo.jpg" alt="photo.jpg" /></p>', $data['data']['content']['html']);
  347.         $this->assertEquals('', $data['data']['content']['text']);
  348.     }
  349. 

  350.     public function testPhotoInContentNoPWithURLPhoto()
  351.     {
  352.         $url = 'http://sanitize.example/photo-in-content-no-p-with-url-photo';
  353.         $response = $this->parse(['url' => $url]);
  354. 

  355.         $body = $response->getContent();
  356.         $this->assertEquals(200, $response->getStatusCode());
  357.         $data = json_decode($body, true);
  358. 

  359.         $this->assertEquals('<img src="http://sanitize.example/photo.jpg" alt="test" />', $data['data']['content']['html']);
  360.         $this->assertEquals('', $data['data']['content']['text']);
  361.     }
  362. 

  363.     public function testPhotoInContentNoPWithAlt()
  364.     {
  365.         // This h-entry has no u-url so has an implied u-photo. we don't actually care what happens with it because

  366.         // this should never happen in the wild

  367.         $url = 'http://sanitize.example/photo-in-content-no-p-with-alt';
  368.         $response = $this->parse(['url' => $url]);
  369. 

  370.         $body = $response->getContent();
  371.         $this->assertEquals(200, $response->getStatusCode());
  372.         $data = json_decode($body, true);
  373.     }
  374. 

  375.     /*
  376.     // TODO: add support for embedded video and audio tags in html content

  377.     public function testContentIsOnlyVideo() {
  378.     $url = 'http://sanitize.example/content-is-only-video';
  379.     $response = $this->parse(['url' => $url]);
  380. 

  381.     $body = $response->getContent();
  382.     $this->assertEquals(200, $response->getStatusCode());
  383.     $data = json_decode($body, true);
  384. 

  385.     print_r($data);
  386.     }
  387.     */
  388. 

  389.     public function testPhotosWithAlt()
  390.     {
  391.         // https://github.com/microformats/microformats2-parsing/issues/16

  392. 

  393.         $url = 'http://sanitize.example/photos-with-alt';
  394.         $response = $this->parse(['url' => $url]);
  395. 

  396.         $body = $response->getContent();
  397.         $this->assertEquals(200, $response->getStatusCode());
  398.         $data = json_decode($body);
  399. 

  400.         $this->assertEquals('🌆 Made it to the first #NPSF #earlygang of the year, did in-betweeners abs, and 6:30 workout with a brutal burnout that was really its own workout. But wow pretty sunrise. Plus 50+ deg F? I’ll take it. #100PDPD'."\n\n".'#justshowup #darknesstodawn #wakeupthesun #fromwhereirun #NovemberProject #sunrise #latergram #nofilter', $data->data->content->text);
  401.         $this->assertObjectNotHasAttribute('name', $data->data);
  402.         $this->assertEquals('https://igx.4sqi.net/img/general/original/476_g7yruXflacsGr7PyVmECefyTBMB_R99zmPQxW7pftzA.jpg', $data->data->photo[0]);
  403.         $this->assertEquals('https://igx.4sqi.net/img/general/original/476_zM3UgU9JHNhom907Ac_1WCEcUhGOJZaNWGlRmev86YA.jpg', $data->data->photo[1]);
  404.     }
  405. 

  406.     // Ignoring this issue for now. This should not happen in the wild.

  407.     // https://github.com/aaronpk/XRay/issues/55

  408.     // Skipping the implied photo check because in the wild, h-entrys should not exist withou a u-url, which stops implied parsing.

  409.     public function testEntryWithImgNoImpliedPhoto()
  410.     {
  411.         // See https://github.com/microformats/microformats2-parsing/issues/6#issuecomment-357286985

  412.         // and https://github.com/aaronpk/XRay/issues/52#issuecomment-357269683

  413.         // and https://github.com/microformats/microformats2-parsing/issues/16

  414.         $url = 'http://sanitize.example/entry-with-img-no-implied-photo';
  415.         $response = $this->parse(['url' => $url]);
  416. 

  417.         $body = $response->getContent();
  418.         $this->assertEquals(200, $response->getStatusCode());
  419.         $data = json_decode($body);
  420. 

  421.         $this->assertObjectNotHasAttribute('photo', $data->data);
  422.         $this->assertObjectNotHasAttribute('name', $data->data);
  423.         $this->assertEquals('This is a photo post with an img tag inside the content, which does not have a u-photo class so should not be removed.', $data->data->content->text);
  424.         $this->assertEquals('This is a photo post with an <code>img</code> tag inside the content, which does not have a u-photo class so should not be removed. <img src="http://target.example.com/photo.jpg" alt="a photo" />', $data->data->content->html);
  425.     }
  426. 

  427.     public function testWhitespaceWithBreakTags()
  428.     {
  429.         $url = 'http://sanitize.example/entry-with-br-tags';
  430.         $response = $this->parse(['url' => $url]);
  431. 

  432.         $body = $response->getContent();
  433.         $this->assertEquals(200, $response->getStatusCode());
  434.         $data = json_decode($body);
  435. 

  436.         $this->assertEquals('This content has two break tags to indicate a paragraph break.<br /><br />This is how tantek\'s autolinker works.', $data->data->content->html);
  437.         $this->assertEquals("This content has two break tags to indicate a paragraph break.\n\nThis is how tantek's autolinker works.", $data->data->content->text);
  438.     }
  439. 

  440. }