Comments: Added HTML filter on load, tinymce elem filtering

[bookstack] / tests / Entity / CommentTest.php

diff --git a/tests/Entity/CommentTest.php b/tests/Entity/CommentTest.php
index c080359bc9d1fc4fa151b29f823f880b51623904..76e014e80dc340176891128db051a5c40cfdd2d6 100644 (file)
--- a/tests/Entity/CommentTest.php
+++ b/tests/Entity/CommentTest.php
@@ -82,11 +82,10 @@ class CommentTest extends TestCase
 
     public function test_scripts_cannot_be_injected_via_comment_html()
     {
-        $this->asAdmin();
         $page = $this->entities->page();
 
         $script = '<script>const a = "script";</script><p onclick="1">My lovely comment</p>';
-        $this->postJson("/comment/$page->id", [
+        $this->asAdmin()->postJson("/comment/$page->id", [
             'html' => $script,
         ]);
 
@@ -104,6 +103,20 @@ class CommentTest extends TestCase
         $pageView->assertSee('<p>My lovely comment</p><p>updated</p>');
     }
 
+    public function test_scripts_are_removed_even_if_already_in_db()
+    {
+        $page = $this->entities->page();
+        Comment::factory()->create([
+            'html' => '<script>superbadscript</script><p onclick="superbadonclick">scriptincommentest</p>',
+            'entity_type' => 'page', 'entity_id' => $page
+        ]);
+
+        $resp = $this->asAdmin()->get($page->getUrl());
+        $resp->assertSee('scriptincommentest', false);
+        $resp->assertDontSee('superbadscript', false);
+        $resp->assertDontSee('superbadonclick', false);
+    }
+
     public function test_reply_comments_are_nested()
     {
         $this->asAdmin();