]> BookStack Code Mirror - bookstack/blob - tests/Entity/PageContentTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added front-end toggle and testing of inline attachments
[bookstack] / tests / Entity / PageContentTest.php
1 <?php namespace Tests\Entity;
2
3 use BookStack\Entities\Tools\PageContent;
4 use BookStack\Entities\Models\Page;
5 use Tests\TestCase;
6 use Tests\Uploads\UsesImages;
7
8 class PageContentTest extends TestCase
9 {
10     use UsesImages;
11
12     protected $base64Jpeg = '/9j/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=';
13
14     public function test_page_includes()
15     {
16         $page = Page::first();
17         $secondPage = Page::where('id', '!=', $page->id)->first();
18
19         $secondPage->html = "<p id='section1'>Hello, This is a test</p><p id='section2'>This is a second block of content</p>";
20         $secondPage->save();
21
22         $this->asEditor();
23
24         $pageContent = $this->get($page->getUrl());
25         $pageContent->assertDontSee('Hello, This is a test');
26
27         $originalHtml = $page->html;
28         $page->html .= "{{@{$secondPage->id}}}";
29         $page->save();
30
31         $pageContent = $this->get($page->getUrl());
32         $pageContent->assertSee('Hello, This is a test');
33         $pageContent->assertSee('This is a second block of content');
34
35         $page->html = $originalHtml . " Well {{@{$secondPage->id}#section2}}";
36         $page->save();
37
38         $pageContent = $this->get($page->getUrl());
39         $pageContent->assertDontSee('Hello, This is a test');
40         $pageContent->assertSee('Well This is a second block of content');
41     }
42
43     public function test_saving_page_with_includes()
44     {
45         $page = Page::first();
46         $secondPage = Page::where('id', '!=', $page->id)->first();
47
48         $this->asEditor();
49         $includeTag = '{{@' . $secondPage->id . '}}';
50         $page->html = '<p>' . $includeTag . '</p>';
51
52         $resp = $this->put($page->getUrl(), ['name' => $page->name, 'html' => $page->html, 'summary' => '']);
53
54         $resp->assertStatus(302);
55
56         $page = Page::find($page->id);
57         $this->assertStringContainsString($includeTag, $page->html);
58         $this->assertEquals('', $page->text);
59     }
60
61     public function test_page_includes_do_not_break_tables()
62     {
63         $page = Page::first();
64         $secondPage = Page::where('id', '!=', $page->id)->first();
65
66         $content = '<table id="table"><tbody><tr><td>test</td></tr></tbody></table>';
67         $secondPage->html = $content;
68         $secondPage->save();
69
70         $page->html = "{{@{$secondPage->id}#table}}";
71         $page->save();
72
73         $this->asEditor();
74         $pageResp = $this->get($page->getUrl());
75         $pageResp->assertSee($content);
76     }
77
78     public function test_page_includes_rendered_on_book_export()
79     {
80         $page = Page::query()->first();
81         $secondPage = Page::query()
82             ->where('book_id', '!=', $page->book_id)
83             ->first();
84
85         $content = '<p id="bkmrk-meow">my cat is awesome and scratchy</p>';
86         $secondPage->html = $content;
87         $secondPage->save();
88
89         $page->html = "{{@{$secondPage->id}#bkmrk-meow}}";
90         $page->save();
91
92         $this->asEditor();
93         $htmlContent = $this->get($page->book->getUrl('/export/html'));
94         $htmlContent->assertSee('my cat is awesome and scratchy');
95     }
96
97     public function test_page_content_scripts_removed_by_default()
98     {
99         $this->asEditor();
100         $page = Page::first();
101         $script = 'abc123<script>console.log("hello-test")</script>abc123';
102         $page->html = "escape {$script}";
103         $page->save();
104
105         $pageView = $this->get($page->getUrl());
106         $pageView->assertStatus(200);
107         $pageView->assertDontSee($script);
108         $pageView->assertSee('abc123abc123');
109     }
110
111     public function test_more_complex_content_script_escaping_scenarios()
112     {
113         $checks = [
114             "<p>Some script</p><script>alert('cat')</script>",
115             "<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
116             "<p>Some script<script>alert('cat')</script></p>",
117             "<p>Some script <div><script>alert('cat')</script></div></p>",
118             "<p>Some script <script><div>alert('cat')</script></div></p>",
119             "<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
120         ];
121
122         $this->asEditor();
123         $page = Page::first();
124
125         foreach ($checks as $check) {
126             $page->html = $check;
127             $page->save();
128
129             $pageView = $this->get($page->getUrl());
130             $pageView->assertStatus(200);
131             $pageView->assertElementNotContains('.page-content', '<script>');
132             $pageView->assertElementNotContains('.page-content', '</script>');
133         }
134
135     }
136
137     public function test_iframe_js_and_base64_urls_are_removed()
138     {
139         $checks = [
140             '<iframe src="javascript:alert(document.cookie)"></iframe>',
141             '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
142             '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
143             '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
144             '<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>'
145         ];
146
147         $this->asEditor();
148         $page = Page::first();
149
150         foreach ($checks as $check) {
151             $page->html = $check;
152             $page->save();
153
154             $pageView = $this->get($page->getUrl());
155             $pageView->assertStatus(200);
156             $pageView->assertElementNotContains('.page-content', '<iframe>');
157             $pageView->assertElementNotContains('.page-content', '</iframe>');
158             $pageView->assertElementNotContains('.page-content', 'src=');
159             $pageView->assertElementNotContains('.page-content', 'javascript:');
160             $pageView->assertElementNotContains('.page-content', 'data:');
161             $pageView->assertElementNotContains('.page-content', 'base64');
162         }
163
164     }
165
166     public function test_javascript_uri_links_are_removed()
167     {
168         $checks = [
169             '<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
170             '<a id="xss" href="javascript: alert(document.cookie)>Click me</a>'
171         ];
172
173         $this->asEditor();
174         $page = Page::first();
175
176         foreach ($checks as $check) {
177             $page->html = $check;
178             $page->save();
179
180             $pageView = $this->get($page->getUrl());
181             $pageView->assertStatus(200);
182             $pageView->assertElementNotContains('.page-content', '<a id="xss">');
183             $pageView->assertElementNotContains('.page-content', 'href=javascript:');
184         }
185     }
186     public function test_form_actions_with_javascript_are_removed()
187     {
188         $checks = [
189             '<form><input id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><input></form>',
190             '<form ><button id="xss" formaction=javascript:alert(document.domain)>Click me</button></form>',
191             '<form id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></form>'
192         ];
193
194         $this->asEditor();
195         $page = Page::first();
196
197         foreach ($checks as $check) {
198             $page->html = $check;
199             $page->save();
200
201             $pageView = $this->get($page->getUrl());
202             $pageView->assertStatus(200);
203             $pageView->assertElementNotContains('.page-content', '<button id="xss"');
204             $pageView->assertElementNotContains('.page-content', '<input id="xss"');
205             $pageView->assertElementNotContains('.page-content', '<form id="xss"');
206             $pageView->assertElementNotContains('.page-content', 'action=javascript:');
207             $pageView->assertElementNotContains('.page-content', 'formaction=javascript:');
208         }
209     }
210     
211     public function test_metadata_redirects_are_removed()
212     {
213         $checks = [
214             '<meta http-equiv="refresh" content="0; url=//external_url">',
215         ];
216
217         $this->asEditor();
218         $page = Page::first();
219
220         foreach ($checks as $check) {
221             $page->html = $check;
222             $page->save();
223
224             $pageView = $this->get($page->getUrl());
225             $pageView->assertStatus(200);
226             $pageView->assertElementNotContains('.page-content', '<meta>');
227             $pageView->assertElementNotContains('.page-content', '</meta>');
228             $pageView->assertElementNotContains('.page-content', 'content=');
229             $pageView->assertElementNotContains('.page-content', 'external_url');
230         }
231     }
232     public function test_page_inline_on_attributes_removed_by_default()
233     {
234         $this->asEditor();
235         $page = Page::first();
236         $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
237         $page->html = "escape {$script}";
238         $page->save();
239
240         $pageView = $this->get($page->getUrl());
241         $pageView->assertStatus(200);
242         $pageView->assertDontSee($script);
243         $pageView->assertSee('<p>Hello</p>');
244     }
245
246     public function test_more_complex_inline_on_attributes_escaping_scenarios()
247     {
248         $checks = [
249             '<p onclick="console.log(\'test\')">Hello</p>',
250             '<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
251             '<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
252             '<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
253             '<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
254             '<a a="<img src=1 onerror=\'alert(1)\'> ',
255         ];
256
257         $this->asEditor();
258         $page = Page::first();
259
260         foreach ($checks as $check) {
261             $page->html = $check;
262             $page->save();
263
264             $pageView = $this->get($page->getUrl());
265             $pageView->assertStatus(200);
266             $pageView->assertElementNotContains('.page-content', 'onclick');
267         }
268
269     }
270
271     public function test_page_content_scripts_show_when_configured()
272     {
273         $this->asEditor();
274         $page = Page::first();
275         config()->push('app.allow_content_scripts', 'true');
276
277         $script = 'abc123<script>console.log("hello-test")</script>abc123';
278         $page->html = "no escape {$script}";
279         $page->save();
280
281         $pageView = $this->get($page->getUrl());
282         $pageView->assertSee($script);
283         $pageView->assertDontSee('abc123abc123');
284     }
285
286     public function test_page_inline_on_attributes_show_if_configured()
287     {
288         $this->asEditor();
289         $page = Page::first();
290         config()->push('app.allow_content_scripts', 'true');
291
292         $script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
293         $page->html = "escape {$script}";
294         $page->save();
295
296         $pageView = $this->get($page->getUrl());
297         $pageView->assertSee($script);
298         $pageView->assertDontSee('<p>Hello</p>');
299     }
300
301     public function test_duplicate_ids_does_not_break_page_render()
302     {
303         $this->asEditor();
304         $pageA = Page::first();
305         $pageB = Page::query()->where('id', '!=', $pageA->id)->first();
306
307         $content = '<ul id="bkmrk-xxx-%28"></ul> <ul id="bkmrk-xxx-%28"></ul>';
308         $pageA->html = $content;
309         $pageA->save();
310
311         $pageB->html = '<ul id="bkmrk-xxx-%28"></ul> <p>{{@'. $pageA->id .'#test}}</p>';
312         $pageB->save();
313
314         $pageView = $this->get($pageB->getUrl());
315         $pageView->assertSuccessful();
316     }
317
318     public function test_duplicate_ids_fixed_on_page_save()
319     {
320         $this->asEditor();
321         $page = Page::first();
322
323         $content = '<ul id="bkmrk-test"><li>test a</li><li><ul id="bkmrk-test"><li>test b</li></ul></li></ul>';
324         $pageSave = $this->put($page->getUrl(), [
325             'name' => $page->name,
326             'html' => $content,
327             'summary' => ''
328         ]);
329         $pageSave->assertRedirect();
330
331         $updatedPage = Page::where('id', '=', $page->id)->first();
332         $this->assertEquals(substr_count($updatedPage->html, "bkmrk-test\""), 1);
333     }
334
335     public function test_anchors_referencing_non_bkmrk_ids_rewritten_after_save()
336     {
337         $this->asEditor();
338         $page = Page::first();
339
340         $content = '<h1 id="non-standard-id">test</h1><p><a href="#non-standard-id">link</a></p>';
341         $this->put($page->getUrl(), [
342             'name' => $page->name,
343             'html' => $content,
344             'summary' => ''
345         ]);
346
347         $updatedPage = Page::where('id', '=', $page->id)->first();
348         $this->assertStringContainsString('id="bkmrk-test"', $updatedPage->html);
349         $this->assertStringContainsString('href="#bkmrk-test"', $updatedPage->html);
350     }
351
352     public function test_get_page_nav_sets_correct_properties()
353     {
354         $content = '<h1 id="testa">Hello</h1><h2 id="testb">There</h2><h3 id="testc">Donkey</h3>';
355         $pageContent = new PageContent(new Page(['html' => $content]));
356         $navMap = $pageContent->getNavigation($content);
357
358         $this->assertCount(3, $navMap);
359         $this->assertArrayMapIncludes([
360             'nodeName' => 'h1',
361             'link' => '#testa',
362             'text' => 'Hello',
363             'level' => 1,
364         ], $navMap[0]);
365         $this->assertArrayMapIncludes([
366             'nodeName' => 'h2',
367             'link' => '#testb',
368             'text' => 'There',
369             'level' => 2,
370         ], $navMap[1]);
371         $this->assertArrayMapIncludes([
372             'nodeName' => 'h3',
373             'link' => '#testc',
374             'text' => 'Donkey',
375             'level' => 3,
376         ], $navMap[2]);
377     }
378
379     public function test_get_page_nav_does_not_show_empty_titles()
380     {
381         $content = '<h1 id="testa">Hello</h1><h2 id="testb">&nbsp;</h2><h3 id="testc"></h3>';
382         $pageContent = new PageContent(new Page(['html' => $content]));
383         $navMap = $pageContent->getNavigation($content);
384
385         $this->assertCount(1, $navMap);
386         $this->assertArrayMapIncludes([
387             'nodeName' => 'h1',
388             'link' => '#testa',
389             'text' => 'Hello'
390         ], $navMap[0]);
391     }
392
393     public function test_get_page_nav_shifts_headers_if_only_smaller_ones_are_used()
394     {
395         $content = '<h4 id="testa">Hello</h4><h5 id="testb">There</h5><h6 id="testc">Donkey</h6>';
396         $pageContent = new PageContent(new Page(['html' => $content]));
397         $navMap = $pageContent->getNavigation($content);
398
399         $this->assertCount(3, $navMap);
400         $this->assertArrayMapIncludes([
401             'nodeName' => 'h4',
402             'level' => 1,
403         ], $navMap[0]);
404         $this->assertArrayMapIncludes([
405             'nodeName' => 'h5',
406             'level' => 2,
407         ], $navMap[1]);
408         $this->assertArrayMapIncludes([
409             'nodeName' => 'h6',
410             'level' => 3,
411         ], $navMap[2]);
412     }
413
414     public function test_page_text_decodes_html_entities()
415     {
416         $page = Page::query()->first();
417
418         $this->actingAs($this->getAdmin())
419             ->put($page->getUrl(''), [
420                 'name' => 'Testing',
421                 'html' => '<p>&quot;Hello &amp; welcome&quot;</p>',
422             ]);
423
424         $page->refresh();
425         $this->assertEquals('"Hello & welcome"', $page->text);
426     }
427
428     public function test_page_markdown_table_rendering()
429     {
430         $this->asEditor();
431         $page = Page::query()->first();
432
433         $content = '| Syntax      | Description |
434 | ----------- | ----------- |
435 | Header      | Title       |
436 | Paragraph   | Text        |';
437         $this->put($page->getUrl(), [
438             'name' => $page->name,  'markdown' => $content,
439             'html' => '', 'summary' => ''
440         ]);
441
442         $page->refresh();
443         $this->assertStringContainsString('</tbody>', $page->html);
444
445         $pageView = $this->get($page->getUrl());
446         $pageView->assertElementExists('.page-content table tbody td');
447     }
448
449     public function test_page_markdown_task_list_rendering()
450     {
451         $this->asEditor();
452         $page = Page::query()->first();
453
454         $content = '- [ ] Item a
455 - [x] Item b';
456         $this->put($page->getUrl(), [
457             'name' => $page->name,  'markdown' => $content,
458             'html' => '', 'summary' => ''
459         ]);
460
461         $page->refresh();
462         $this->assertStringContainsString('input', $page->html);
463         $this->assertStringContainsString('type="checkbox"', $page->html);
464
465         $pageView = $this->get($page->getUrl());
466         $pageView->assertElementExists('.page-content input[type=checkbox]');
467     }
468
469     public function test_page_markdown_strikethrough_rendering()
470     {
471         $this->asEditor();
472         $page = Page::query()->first();
473
474         $content = '~~some crossed out text~~';
475         $this->put($page->getUrl(), [
476             'name' => $page->name,  'markdown' => $content,
477             'html' => '', 'summary' => ''
478         ]);
479
480         $page->refresh();
481         $this->assertStringMatchesFormat('%A<s%A>some crossed out text</s>%A', $page->html);
482
483         $pageView = $this->get($page->getUrl());
484         $pageView->assertElementExists('.page-content p > s');
485     }
486
487     public function test_base64_images_get_extracted_from_page_content()
488     {
489         $this->asEditor();
490         $page = Page::query()->first();
491
492         $this->put($page->getUrl(), [
493             'name' => $page->name, 'summary' => '',
494             'html' => '<p>test<img src="data:image/jpeg;base64,'.$this->base64Jpeg.'"/></p>',
495         ]);
496
497         $page->refresh();
498         $this->assertStringMatchesFormat('%A<p%A>test<img src="http://localhost/uploads/images/gallery/%A.jpeg">%A</p>%A', $page->html);
499
500         $matches = [];
501         preg_match('/src="https:\/\/p.rizon.top:443\/http\/localhost(.*?)"/', $page->html, $matches);
502         $imagePath = $matches[1];
503         $imageFile = public_path($imagePath);
504         $this->assertEquals(base64_decode($this->base64Jpeg), file_get_contents($imageFile));
505
506         $this->deleteImage($imagePath);
507     }
508
509     public function test_base64_images_get_extracted_when_containing_whitespace()
510     {
511         $this->asEditor();
512         $page = Page::query()->first();
513
514         $base64PngWithWhitespace = "iVBORw0KGg\noAAAANSUhE\tUgAAAAEAAAA BCA   YAAAAfFcSJAAA\n\t ACklEQVR4nGMAAQAABQAB";
515         $base64PngWithoutWhitespace = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQAB';
516         $this->put($page->getUrl(), [
517             'name' => $page->name, 'summary' => '',
518             'html' => '<p>test<img src="data:image/png;base64,'.$base64PngWithWhitespace.'"/></p>',
519         ]);
520
521         $page->refresh();
522         $this->assertStringMatchesFormat('%A<p%A>test<img src="http://localhost/uploads/images/gallery/%A.png">%A</p>%A', $page->html);
523
524         $matches = [];
525         preg_match('/src="https:\/\/p.rizon.top:443\/http\/localhost(.*?)"/', $page->html, $matches);
526         $imagePath = $matches[1];
527         $imageFile = public_path($imagePath);
528         $this->assertEquals(base64_decode($base64PngWithoutWhitespace), file_get_contents($imageFile));
529
530         $this->deleteImage($imagePath);
531     }
532
533     public function test_base64_images_blanked_if_not_supported_extension_for_extract()
534     {
535         $this->asEditor();
536         $page = Page::query()->first();
537
538         $this->put($page->getUrl(), [
539             'name' => $page->name, 'summary' => '',
540             'html' => '<p>test<img src="data:image/jiff;base64,'.$this->base64Jpeg.'"/></p>',
541         ]);
542
543         $page->refresh();
544         $this->assertStringContainsString('<img src=""', $page->html);
545     }
546 }
The core source code for the BookStack project.