Filtered scripts in custom HTML head for exports

[bookstack] / tests / Entity / ExportTest.php

diff --git a/tests/Entity/ExportTest.php b/tests/Entity/ExportTest.php
index 1e44f015a5a0b69f8520c9227b971e79f17c0b63..d04ccc69a85304184e5c29293ec4644dcf6acf97 100644 (file)
--- a/tests/Entity/ExportTest.php
+++ b/tests/Entity/ExportTest.php
@@ -1,6 +1,6 @@
 <?php namespace Tests\Entity;
 
-
+use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Page;
 use Illuminate\Support\Facades\Storage;
@@ -151,6 +151,16 @@ class ExportTest extends TestCase
         $resp->assertDontSee($page->updated_at->diffForHumans());
     }
 
+    public function test_page_export_does_not_include_user_or_revision_links()
+    {
+        $page = Page::first();
+
+        $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+        $resp->assertDontSee($page->getUrl('/revisions'));
+        $resp->assertDontSee($page->createdBy->getProfileUrl());
+        $resp->assertSee($page->createdBy->name);
+    }
+
     public function test_page_export_sets_right_data_type_for_svg_embeds()
     {
         $page = Page::first();
@@ -205,4 +215,19 @@ class ExportTest extends TestCase
         $resp->assertSee('src="/uploads/svg_test.svg"');
     }
 
+    public function test_exports_removes_scripts_from_custom_head()
+    {
+        $entities = [
+            Page::query()->first(), Chapter::query()->first(), Book::query()->first(),
+        ];
+        setting()->put('app-custom-head', '<script>window.donkey = "cat";</script><style>.my-test-class { color: red; }</style>');
+
+        foreach ($entities as $entity) {
+            $resp = $this->asEditor()->get($entity->getUrl('/export/html'));
+            $resp->assertDontSee('window.donkey');
+            $resp->assertDontSee('script');
+            $resp->assertSee('.my-test-class { color: red; }');
+        }
+    }
+
 }