X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/1ad6fe1cbd65a22008184e8578d6b349d30a00ed..refs/pull/2023/head:/tests/Entity/PageContentTest.php diff --git a/tests/Entity/PageContentTest.php b/tests/Entity/PageContentTest.php index 8b0e180da..d714c3229 100644 --- a/tests/Entity/PageContentTest.php +++ b/tests/Entity/PageContentTest.php @@ -1,7 +1,8 @@ -id)->first(); + $this->asEditor(); - $page->html = "

{{@$secondPage->id}}

"; + $includeTag = '{{@' . $secondPage->id . '}}'; + $page->html = '

' . $includeTag . '

'; $resp = $this->put($page->getUrl(), ['name' => $page->name, 'html' => $page->html, 'summary' => '']); $resp->assertStatus(302); $page = Page::find($page->id); - $this->assertContains("{{@$secondPage->id}}", $page->html); + $this->assertStringContainsString($includeTag, $page->html); + $this->assertEquals('', $page->text); } public function test_page_includes_do_not_break_tables() @@ -67,62 +71,112 @@ class PageContentTest extends TestCase $pageResp->assertSee($content); } - public function test_page_revision_views_viewable() + public function test_page_content_scripts_removed_by_default() { $this->asEditor(); - - $entityRepo = $this->app[EntityRepo::class]; $page = Page::first(); - $entityRepo->updatePage($page, $page->book_id, ['name' => 'updated page', 'html' => '

new content

', 'summary' => 'page revision testing']); - $pageRevision = $page->revisions->last(); - - $revisionView = $this->get($page->getUrl() . '/revisions/' . $pageRevision->id); - $revisionView->assertStatus(200); - $revisionView->assertSee('new content'); + $script = 'abc123abc123'; + $page->html = "escape {$script}"; + $page->save(); - $revisionView = $this->get($page->getUrl() . '/revisions/' . $pageRevision->id . '/changes'); - $revisionView->assertStatus(200); - $revisionView->assertSee('new content'); + $pageView = $this->get($page->getUrl()); + $pageView->assertStatus(200); + $pageView->assertDontSee($script); + $pageView->assertSee('abc123abc123'); } - public function test_page_revision_restore_updates_content() + public function test_more_complex_content_script_escaping_scenarios() { - $this->asEditor(); + $checks = [ + "

Some script

", + "

Some script

", + "

Some script

", + "

Some script

", + "

Some script

", + "

Some script

", + ]; - $entityRepo = $this->app[EntityRepo::class]; + $this->asEditor(); $page = Page::first(); - $entityRepo->updatePage($page, $page->book_id, ['name' => 'updated page abc123', 'html' => '

new contente def456

', 'summary' => 'initial page revision testing']); - $entityRepo->updatePage($page, $page->book_id, ['name' => 'updated page again', 'html' => '

new content

', 'summary' => 'page revision testing']); - $page = Page::find($page->id); + foreach ($checks as $check) { + $page->html = $check; + $page->save(); - $pageView = $this->get($page->getUrl()); - $pageView->assertDontSee('abc123'); - $pageView->assertDontSee('def456'); + $pageView = $this->get($page->getUrl()); + $pageView->assertStatus(200); + $pageView->assertElementNotContains('.page-content', ''); + } + + } - $revToRestore = $page->revisions()->where('name', 'like', '%abc123')->first(); - $restoreReq = $this->get($page->getUrl() . '/revisions/' . $revToRestore->id . '/restore'); - $page = Page::find($page->id); + public function test_iframe_js_and_base64_urls_are_removed() + { + $checks = [ + '', + '', + '', + '', + '' + ]; - $restoreReq->assertStatus(302); - $restoreReq->assertRedirect($page->getUrl()); + $this->asEditor(); + $page = Page::first(); + + foreach ($checks as $check) { + $page->html = $check; + $page->save(); + + $pageView = $this->get($page->getUrl()); + $pageView->assertStatus(200); + $pageView->assertElementNotContains('.page-content', ''); + $pageView->assertElementNotContains('.page-content', 'src='); + $pageView->assertElementNotContains('.page-content', 'javascript:'); + $pageView->assertElementNotContains('.page-content', 'data:'); + $pageView->assertElementNotContains('.page-content', 'base64'); + } - $pageView = $this->get($page->getUrl()); - $pageView->assertSee('abc123'); - $pageView->assertSee('def456'); } - public function test_page_content_scripts_escaped_by_default() + public function test_page_inline_on_attributes_removed_by_default() { $this->asEditor(); $page = Page::first(); - $script = ''; + $script = '

Hello

'; $page->html = "escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); + $pageView->assertStatus(200); $pageView->assertDontSee($script); - $pageView->assertSee(htmlentities($script)); + $pageView->assertSee('

Hello

'); + } + + public function test_more_complex_inline_on_attributes_escaping_scenarios() + { + $checks = [ + '

Hello

', + '
Lorem ipsum dolor sit amet.

Hello

', + '
Lorem ipsum dolor sit amet.

Hello

', + '
Lorem ipsum dolor sit amet.

Hello

', + '
Lorem ipsum dolor sit amet.

Hello

', + ''; + + $script = 'abc123abc123'; $page->html = "no escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertSee($script); - $pageView->assertDontSee(htmlentities($script)); + $pageView->assertDontSee('abc123abc123'); + } + + public function test_page_inline_on_attributes_show_if_configured() + { + $this->asEditor(); + $page = Page::first(); + config()->push('app.allow_content_scripts', 'true'); + + $script = '

Hello

'; + $page->html = "escape {$script}"; + $page->save(); + + $pageView = $this->get($page->getUrl()); + $pageView->assertSee($script); + $pageView->assertDontSee('

Hello

'); + } + + public function test_duplicate_ids_does_not_break_page_render() + { + $this->asEditor(); + $pageA = Page::first(); + $pageB = Page::query()->where('id', '!=', $pageA->id)->first(); + + $content = ' '; + $pageA->html = $content; + $pageA->save(); + + $pageB->html = '

{{@'. $pageA->id .'#test}}

'; + $pageB->save(); + + $pageView = $this->get($pageB->getUrl()); + $pageView->assertSuccessful(); } + public function test_duplicate_ids_fixed_on_page_save() + { + $this->asEditor(); + $page = Page::first(); + + $content = ''; + $pageSave = $this->put($page->getUrl(), [ + 'name' => $page->name, + 'html' => $content, + 'summary' => '' + ]); + $pageSave->assertRedirect(); + + $updatedPage = Page::where('id', '=', $page->id)->first(); + $this->assertEquals(substr_count($updatedPage->html, "bkmrk-test\""), 1); + } + + public function test_get_page_nav_sets_correct_properties() + { + $content = '

Hello

There

Donkey

'; + $pageContent = new PageContent(new Page(['html' => $content])); + $navMap = $pageContent->getNavigation($content); + + $this->assertCount(3, $navMap); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h1', + 'link' => '#testa', + 'text' => 'Hello', + 'level' => 1, + ], $navMap[0]); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h2', + 'link' => '#testb', + 'text' => 'There', + 'level' => 2, + ], $navMap[1]); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h3', + 'link' => '#testc', + 'text' => 'Donkey', + 'level' => 3, + ], $navMap[2]); + } + + public function test_get_page_nav_does_not_show_empty_titles() + { + $content = '

Hello

 

'; + $pageContent = new PageContent(new Page(['html' => $content])); + $navMap = $pageContent->getNavigation($content); + + $this->assertCount(1, $navMap); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h1', + 'link' => '#testa', + 'text' => 'Hello' + ], $navMap[0]); + } + + public function test_get_page_nav_shifts_headers_if_only_smaller_ones_are_used() + { + $content = '

Hello

There
Donkey
'; + $pageContent = new PageContent(new Page(['html' => $content])); + $navMap = $pageContent->getNavigation($content); + + $this->assertCount(3, $navMap); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h4', + 'level' => 1, + ], $navMap[0]); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h5', + 'level' => 2, + ], $navMap[1]); + $this->assertArrayMapIncludes([ + 'nodeName' => 'h6', + 'level' => 3, + ], $navMap[2]); + } }