X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/f84bf8e883e8e5bd9a24b908e2f90a2742d36d19..refs/pull/2166/head:/tests/Entity/CommentTest.php
diff --git a/tests/Entity/CommentTest.php b/tests/Entity/CommentTest.php
index a2126407b..2562f7e7d 100644
--- a/tests/Entity/CommentTest.php
+++ b/tests/Entity/CommentTest.php
@@ -42,7 +42,6 @@ class CommentTest extends TestCase
$newText = 'updated text content';
$resp = $this->putJson("/ajax/comment/$comment->id", [
'text' => $newText,
- 'html' => ''.$newText.'
',
]);
$resp->assertStatus(200);
@@ -72,4 +71,46 @@ class CommentTest extends TestCase
'id' => $comment->id
]);
}
+
+ public function test_comments_converts_markdown_input_to_html()
+ {
+ $page = Page::first();
+ $this->asAdmin()->postJson("/ajax/page/$page->id/comment", [
+ 'text' => '# My Title',
+ ]);
+
+ $this->assertDatabaseHas('comments', [
+ 'entity_id' => $page->id,
+ 'entity_type' => $page->getMorphClass(),
+ 'text' => '# My Title',
+ 'html' => "My Title
\n",
+ ]);
+
+ $pageView = $this->get($page->getUrl());
+ $pageView->assertSee('My Title
');
+ }
+
+ public function test_html_cannot_be_injected_via_comment_content()
+ {
+ $this->asAdmin();
+ $page = Page::first();
+
+ $script = '\n\n# sometextinthecomment';
+ $this->postJson("/ajax/page/$page->id/comment", [
+ 'text' => $script,
+ ]);
+
+ $pageView = $this->get($page->getUrl());
+ $pageView->assertDontSee($script);
+ $pageView->assertSee('sometextinthecomment');
+
+ $comment = $page->comments()->first();
+ $this->putJson("/ajax/comment/$comment->id", [
+ 'text' => $script . 'updated',
+ ]);
+
+ $pageView = $this->get($page->getUrl());
+ $pageView->assertDontSee($script);
+ $pageView->assertSee('sometextinthecommentupdated');
+ }
}