You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
116 lines
5.4 KiB
116 lines
5.4 KiB
<?php
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class SanitizeTest extends PHPUnit_Framework_TestCase {
|
|
|
|
private $http;
|
|
|
|
public function setUp() {
|
|
$this->client = new Parse();
|
|
$this->client->http = new p3k\HTTPTest(dirname(__FILE__).'/data/');
|
|
}
|
|
|
|
private function parse($params) {
|
|
$request = new Request($params);
|
|
$response = new Response();
|
|
return $this->client->parse($request, $response);
|
|
}
|
|
|
|
public function testAllowsWhitelistedTags() {
|
|
$url = 'http://sanitize.example/entry-with-valid-tags';
|
|
$response = $this->parse(['url' => $url]);
|
|
|
|
$body = $response->getContent();
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
$data = json_decode($body, true);
|
|
$html = $data['data']['content']['html'];
|
|
|
|
$this->assertEquals('entry', $data['data']['type']);
|
|
$this->assertContains('This content has only valid tags.', $html);
|
|
$this->assertContains('<a href="http://sanitize.example/example">links</a>,', $html, '<a> missing');
|
|
$this->assertContains('<abbr>abbreviations</abbr>,', $html, '<abbr> missing');
|
|
$this->assertContains('<b>bold</b>,', $html, '<b> missing');
|
|
$this->assertContains('<code>inline code</code>,', $html, '<code> missing');
|
|
$this->assertContains('<del>delete</del>,', $html, '<del> missing');
|
|
$this->assertContains('<em>emphasis</em>,', $html, '<em> missing');
|
|
$this->assertContains('<i>italics</i>,', $html, '<i> missing');
|
|
$this->assertContains('<img alt="images are allowed" src="http://sanitize.example/example.jpg" />', $html, '<img> missing');
|
|
$this->assertContains('<q>inline quote</q>,', $html, '<q> missing');
|
|
$this->assertContains('<strike>strikethrough</strike>,', $html, '<strike> missing');
|
|
$this->assertContains('<strong>strong text</strong>,', $html, '<strong> missing');
|
|
$this->assertContains('<time datetime="2016-01-01">time elements</time>', $html, '<time> missing');
|
|
$this->assertContains('<blockquote>Blockquote tags are okay</blockquote>', $html);
|
|
$this->assertContains('<pre>preformatted text is okay too', $html, '<pre> missing');
|
|
$this->assertContains('for code examples and such</pre>', $html, '<pre> missing');
|
|
$this->assertContains('<p>Paragraph tags are allowed</p>', $html, '<p> missing');
|
|
$this->assertContains('<h1>One</h1>', $html, '<h1> missing');
|
|
$this->assertContains('<h2>Two</h2>', $html, '<h2> missing');
|
|
$this->assertContains('<h3>Three</h3>', $html, '<h3> missing');
|
|
$this->assertContains('<h4>Four</h4>', $html, '<h4> missing');
|
|
$this->assertContains('<h5>Five</h5>', $html, '<h5> missing');
|
|
$this->assertContains('<h6>Six</h6>', $html, '<h6> missing');
|
|
$this->assertContains('<ul>', $html, '<ul> missing');
|
|
$this->assertContains('<li>One</li>', $html, '<li> missing');
|
|
}
|
|
|
|
public function testRemovesUnsafeTags() {
|
|
$url = 'http://sanitize.example/entry-with-unsafe-tags';
|
|
$response = $this->parse(['url' => $url]);
|
|
|
|
$body = $response->getContent();
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
$data = json_decode($body, true);
|
|
$html = $data['data']['content']['html'];
|
|
$text = $data['data']['content']['text'];
|
|
|
|
$this->assertEquals('entry', $data['data']['type']);
|
|
$this->assertNotContains('<script>', $html);
|
|
$this->assertNotContains('<style>', $html);
|
|
$this->assertNotContains('visiblity', $html); // from the CSS
|
|
$this->assertNotContains('alert', $html); // from the JS
|
|
$this->assertNotContains('visiblity', $text);
|
|
$this->assertNotContains('alert', $text);
|
|
}
|
|
|
|
public function testAllowsMF2Classes() {
|
|
$url = 'http://sanitize.example/entry-with-mf2-classes';
|
|
$response = $this->parse(['url' => $url]);
|
|
|
|
$body = $response->getContent();
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
$data = json_decode($body, true);
|
|
$html = $data['data']['content']['html'];
|
|
|
|
$this->assertEquals('entry', $data['data']['type']);
|
|
$this->assertContains('<h2 class="p-name">Hello World</h2>', $html);
|
|
$this->assertContains('<h3>Utility Class</h3>', $html);
|
|
}
|
|
|
|
public function testEscapingHTMLTagsInText() {
|
|
$url = 'http://sanitize.example/html-escaping-in-text';
|
|
$response = $this->parse(['url' => $url]);
|
|
|
|
$body = $response->getContent();
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
$data = json_decode($body, true);
|
|
|
|
$this->assertEquals('entry', $data['data']['type']);
|
|
$this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
|
|
}
|
|
|
|
public function testEscapingHTMLTagsInHTML() {
|
|
$url = 'http://sanitize.example/html-escaping-in-html';
|
|
$response = $this->parse(['url' => $url]);
|
|
|
|
$body = $response->getContent();
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
$data = json_decode($body, true);
|
|
|
|
$this->assertEquals('entry', $data['data']['type']);
|
|
$this->assertArrayNotHasKey('name', $data['data']);
|
|
$this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['text']);
|
|
$this->assertEquals('This content has some <i>HTML escaped</i> entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']);
|
|
}
|
|
|
|
}
|