tests for sanitizing and escaping HTML

use fork of php-mf2 until https://github.com/indieweb/php-mf2/pull/83 is merged

composer.json

@@ -2,7 +2,7 @@
   "require": {
     "league/plates": "3.*",
     "league/route": "1.*",
-    "mf2/mf2": "0.2.*",
+    "mf2/mf2": "dev-master#bb02f0ee92de17975da1eec738d75ed0dfb68027",
     "ezyang/htmlpurifier": "4.*"
   },
   "autoload": {
@@ -21,5 +21,11 @@
     "files": [
       "lib/HTTPTest.php"
     ]
-  }
+  },
+  "repositories": [
+    {
+      "type": "vcs",
+      "url": "http://github.com/aaronpk/php-mf2"
+    }
+  ]
 }

composer.lock

@@ -4,8 +4,8 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "9ca7e7a96c33dc8c293a42cbcd4c1d2f",
-    "content-hash": "c1c0c63887a953998208639cd85555a3",
+    "hash": "9aca2f5dc097a03c196b7c2b4e771ade",
+    "content-hash": "ccf2adf6d508929e3d329fe3d2adaaef",
     "packages": [
         {
             "name": "ezyang/htmlpurifier",
@@ -263,16 +263,16 @@
         },
         {
             "name": "mf2/mf2",
-            "version": "v0.2.12",
+            "version": "dev-master",
             "source": {
                 "type": "git",
-                "url": "https://github.com/indieweb/php-mf2.git",
-                "reference": "6701504876d6c9242eb310b35f41d40d9785ab4e"
+                "url": "https://github.com/aaronpk/php-mf2.git",
+                "reference": "bb02f0ee92de17975da1eec738d75ed0dfb68027"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/indieweb/php-mf2/zipball/6701504876d6c9242eb310b35f41d40d9785ab4e",
-                "reference": "6701504876d6c9242eb310b35f41d40d9785ab4e",
+                "url": "https://api.github.com/repos/aaronpk/php-mf2/zipball/bb02f0ee92de17975da1eec738d75ed0dfb68027",
+                "reference": "bb02f0ee92de17975da1eec738d75ed0dfb68027",
                 "shasum": ""
             },
             "require": {
@@ -296,7 +296,7 @@
             },
             "notification-url": "https://packagist.org/downloads/",
             "license": [
-                "MIT"
+                "CC0"
             ],
             "authors": [
                 {
@@ -312,7 +312,7 @@
                 "parser",
                 "semantic"
             ],
-            "time": "2015-07-12 14:10:01"
+            "time": "2016-02-29 01:39:53"
         },
         {
             "name": "nikic/fast-route",
@@ -359,16 +359,16 @@
         },
         {
             "name": "symfony/http-foundation",
-            "version": "v2.8.2",
+            "version": "v2.8.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/http-foundation.git",
-                "reference": "9194b33c71da8ef4d05d22964376f2f9c95a1bfd"
+                "reference": "6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/9194b33c71da8ef4d05d22964376f2f9c95a1bfd",
-                "reference": "9194b33c71da8ef4d05d22964376f2f9c95a1bfd",
+                "url": "https://api.github.com/repos/symfony/http-foundation/zipball/6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b",
+                "reference": "6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b",
                 "shasum": ""
             },
             "require": {
@@ -409,7 +409,7 @@
             ],
             "description": "Symfony HttpFoundation Component",
             "homepage": "https://symfony.com",
-            "time": "2016-01-13 10:28:07"
+            "time": "2016-02-28 16:20:50"
         },
         {
             "name": "symfony/polyfill-php54",
@@ -529,7 +529,9 @@
     "packages-dev": [],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {
+        "mf2/mf2": 20
+    },
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": [],

tests/SanitizeTest.php

@@ -62,12 +62,15 @@ class SanitizeTest extends PHPUnit_Framework_TestCase {
     $this->assertEquals(200, $response->getStatusCode());
     $data = json_decode($body, true);
     $html = $data['data']['content']['html'];
+    $text = $data['data']['content']['text'];
 
     $this->assertEquals('entry', $data['data']['type']);
     $this->assertNotContains('<script>', $html);
     $this->assertNotContains('<style>', $html);
     $this->assertNotContains('visiblity', $html); // from the CSS
     $this->assertNotContains('alert', $html); // from the JS
+    $this->assertNotContains('visiblity', $text);
+    $this->assertNotContains('alert', $text);
   }
 
   public function testAllowsMF2Classes() {
@@ -84,4 +87,30 @@ class SanitizeTest extends PHPUnit_Framework_TestCase {
     $this->assertContains('<h3>Utility Class</h3>', $html);
   }
 
+  public function testEscapingHTMLTagsInText() {
+    $url = 'http://sanitize.example/html-escaping-in-text';
+    $response = $this->parse(['url' => $url]);
+
+    $body = $response->getContent();
+    $this->assertEquals(200, $response->getStatusCode());
+    $data = json_decode($body, true);
+
+    $this->assertEquals('entry', $data['data']['type']);
+    $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
+  }
+
+  public function testEscapingHTMLTagsInHTML() {
+    $url = 'http://sanitize.example/html-escaping-in-html';
+    $response = $this->parse(['url' => $url]);
+
+    $body = $response->getContent();
+    $this->assertEquals(200, $response->getStatusCode());
+    $data = json_decode($body, true);
+
+    $this->assertEquals('entry', $data['data']['type']);
+    $this->assertArrayNotHasKey('name', $data['data']);
+    $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
+    $this->assertEquals('This content has some <i>HTML escaped</i> entities such as &amp; ampersand, " quote, escaped &lt;code&gt; HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
+  }
+
 }

tests/data/sanitize.example/html-escaping-in-html

@@ -0,0 +1,14 @@
+HTTP/1.1 200 OK
+Server: Apache
+Date: Wed, 09 Dec 2015 03:29:14 GMT
+Content-Type: text/html; charset=utf-8
+Connection: keep-alive
+
+<html>
+  <head>
+    <title>Test</title>
+  </head>
+  <body class="h-entry">
+    <p class="e-content">This content has some <i>HTML escaped</i> entities such as &amp; ampersand, &quot; quote, escaped &lt;code&gt; HTML tags, an &uuml;mlaut, an &#64;at sign.</p>
+  </body>
+</html>

tests/data/sanitize.example/html-escaping-in-text

@@ -0,0 +1,14 @@
+HTTP/1.1 200 OK
+Server: Apache
+Date: Wed, 09 Dec 2015 03:29:14 GMT
+Content-Type: text/html; charset=utf-8
+Connection: keep-alive
+
+<html>
+  <head>
+    <title>Test</title>
+  </head>
+  <body class="h-entry">
+    <p class="p-content">This content has some HTML escaped entities such as &amp; ampersand, &quot; quote, escaped &lt;code&gt; HTML tags, an &uuml;mlaut, an &#64;at sign.</p>
+  </body>
+</html>