Browse Source

tests for sanitizing and escaping HTML

use fork of php-mf2 until https://github.com/indieweb/php-mf2/pull/83 is merged
pull/39/head
Aaron Parecki 8 years ago
parent
commit
a202aa9c9a
5 changed files with 82 additions and 17 deletions
  1. +8
    -2
      composer.json
  2. +17
    -15
      composer.lock
  3. +29
    -0
      tests/SanitizeTest.php
  4. +14
    -0
      tests/data/sanitize.example/html-escaping-in-html
  5. +14
    -0
      tests/data/sanitize.example/html-escaping-in-text

+ 8
- 2
composer.json View File

@ -2,7 +2,7 @@
"require": {
"league/plates": "3.*",
"league/route": "1.*",
"mf2/mf2": "0.2.*",
"mf2/mf2": "dev-master#bb02f0ee92de17975da1eec738d75ed0dfb68027",
"ezyang/htmlpurifier": "4.*"
},
"autoload": {
@ -21,5 +21,11 @@
"files": [
"lib/HTTPTest.php"
]
}
},
"repositories": [
{
"type": "vcs",
"url": "http://github.com/aaronpk/php-mf2"
}
]
}

+ 17
- 15
composer.lock View File

@ -4,8 +4,8 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"hash": "9ca7e7a96c33dc8c293a42cbcd4c1d2f",
"content-hash": "c1c0c63887a953998208639cd85555a3",
"hash": "9aca2f5dc097a03c196b7c2b4e771ade",
"content-hash": "ccf2adf6d508929e3d329fe3d2adaaef",
"packages": [
{
"name": "ezyang/htmlpurifier",
@ -263,16 +263,16 @@
},
{
"name": "mf2/mf2",
"version": "v0.2.12",
"version": "dev-master",
"source": {
"type": "git",
"url": "https://github.com/indieweb/php-mf2.git",
"reference": "6701504876d6c9242eb310b35f41d40d9785ab4e"
"url": "https://github.com/aaronpk/php-mf2.git",
"reference": "bb02f0ee92de17975da1eec738d75ed0dfb68027"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/indieweb/php-mf2/zipball/6701504876d6c9242eb310b35f41d40d9785ab4e",
"reference": "6701504876d6c9242eb310b35f41d40d9785ab4e",
"url": "https://api.github.com/repos/aaronpk/php-mf2/zipball/bb02f0ee92de17975da1eec738d75ed0dfb68027",
"reference": "bb02f0ee92de17975da1eec738d75ed0dfb68027",
"shasum": ""
},
"require": {
@ -296,7 +296,7 @@
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
"CC0"
],
"authors": [
{
@ -312,7 +312,7 @@
"parser",
"semantic"
],
"time": "2015-07-12 14:10:01"
"time": "2016-02-29 01:39:53"
},
{
"name": "nikic/fast-route",
@ -359,16 +359,16 @@
},
{
"name": "symfony/http-foundation",
"version": "v2.8.2",
"version": "v2.8.3",
"source": {
"type": "git",
"url": "https://github.com/symfony/http-foundation.git",
"reference": "9194b33c71da8ef4d05d22964376f2f9c95a1bfd"
"reference": "6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/http-foundation/zipball/9194b33c71da8ef4d05d22964376f2f9c95a1bfd",
"reference": "9194b33c71da8ef4d05d22964376f2f9c95a1bfd",
"url": "https://api.github.com/repos/symfony/http-foundation/zipball/6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b",
"reference": "6f4e41c41e7d352ed9adf71ff6f2ec1756490a1b",
"shasum": ""
},
"require": {
@ -409,7 +409,7 @@
],
"description": "Symfony HttpFoundation Component",
"homepage": "https://symfony.com",
"time": "2016-01-13 10:28:07"
"time": "2016-02-28 16:20:50"
},
{
"name": "symfony/polyfill-php54",
@ -529,7 +529,9 @@
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"stability-flags": {
"mf2/mf2": 20
},
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],

+ 29
- 0
tests/SanitizeTest.php View File

@ -62,12 +62,15 @@ class SanitizeTest extends PHPUnit_Framework_TestCase {
$this->assertEquals(200, $response->getStatusCode());
$data = json_decode($body, true);
$html = $data['data']['content']['html'];
$text = $data['data']['content']['text'];
$this->assertEquals('entry', $data['data']['type']);
$this->assertNotContains('<script>', $html);
$this->assertNotContains('<style>', $html);
$this->assertNotContains('visiblity', $html); // from the CSS
$this->assertNotContains('alert', $html); // from the JS
$this->assertNotContains('visiblity', $text);
$this->assertNotContains('alert', $text);
}
public function testAllowsMF2Classes() {
@ -84,4 +87,30 @@ class SanitizeTest extends PHPUnit_Framework_TestCase {
$this->assertContains('<h3>Utility Class</h3>', $html);
}
public function testEscapingHTMLTagsInText() {
$url = 'http://sanitize.example/html-escaping-in-text';
$response = $this->parse(['url' => $url]);
$body = $response->getContent();
$this->assertEquals(200, $response->getStatusCode());
$data = json_decode($body, true);
$this->assertEquals('entry', $data['data']['type']);
$this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
}
public function testEscapingHTMLTagsInHTML() {
$url = 'http://sanitize.example/html-escaping-in-html';
$response = $this->parse(['url' => $url]);
$body = $response->getContent();
$this->assertEquals(200, $response->getStatusCode());
$data = json_decode($body, true);
$this->assertEquals('entry', $data['data']['type']);
$this->assertArrayNotHasKey('name', $data['data']);
$this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
$this->assertEquals('This content has some <i>HTML escaped</i> entities such as &amp; ampersand, " quote, escaped &lt;code&gt; HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
}
}

+ 14
- 0
tests/data/sanitize.example/html-escaping-in-html View File

@ -0,0 +1,14 @@
HTTP/1.1 200 OK
Server: Apache
Date: Wed, 09 Dec 2015 03:29:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
<html>
<head>
<title>Test</title>
</head>
<body class="h-entry">
<p class="e-content">This content has some <i>HTML escaped</i> entities such as &amp; ampersand, &quot; quote, escaped &lt;code&gt; HTML tags, an &uuml;mlaut, an &#64;at sign.</p>
</body>
</html>

+ 14
- 0
tests/data/sanitize.example/html-escaping-in-text View File

@ -0,0 +1,14 @@
HTTP/1.1 200 OK
Server: Apache
Date: Wed, 09 Dec 2015 03:29:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
<html>
<head>
<title>Test</title>
</head>
<body class="h-entry">
<p class="p-content">This content has some HTML escaped entities such as &amp; ampersand, &quot; quote, escaped &lt;code&gt; HTML tags, an &uuml;mlaut, an &#64;at sign.</p>
</body>
</html>

Loading…
Cancel
Save