X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/06901b878f2c8057a6f9b7d2e0adfda425c68dee..refs/pull/5096/head:/tests/Entity/CommentTest.php

diff --git a/tests/Entity/CommentTest.php b/tests/Entity/CommentTest.php
index 76e014e80..73136235c 100644
--- a/tests/Entity/CommentTest.php
+++ b/tests/Entity/CommentTest.php
@@ -18,10 +18,10 @@ class CommentTest extends TestCase
         $resp = $this->postJson("/comment/$page->id", $comment->getAttributes());
 
         $resp->assertStatus(200);
-        $resp->assertSee($comment->text);
+        $resp->assertSee($comment->html, false);
 
         $pageResp = $this->get($page->getUrl());
-        $pageResp->assertSee($comment->text);
+        $pageResp->assertSee($comment->html, false);
 
         $this->assertDatabaseHas('comments', [
             'local_id'    => 1,
@@ -117,6 +117,29 @@ class CommentTest extends TestCase
         $resp->assertDontSee('superbadonclick', false);
     }
 
+    public function test_comment_html_is_limited()
+    {
+        $page = $this->entities->page();
+        $input = '<h1>Test</h1><p id="abc" href="beans">Content<a href="#cat" data-a="b">a</a><section>Hello</section></p>';
+        $expected = '<p>Content<a href="#cat">a</a></p>';
+
+        $resp = $this->asAdmin()->post("/comment/{$page->id}", ['html' => $input]);
+        $resp->assertOk();
+        $this->assertDatabaseHas('comments', [
+           'entity_type' => 'page',
+           'entity_id' => $page->id,
+           'html' => $expected,
+        ]);
+
+        $comment = $page->comments()->first();
+        $resp = $this->put("/comment/{$comment->id}", ['html' => $input]);
+        $resp->assertOk();
+        $this->assertDatabaseHas('comments', [
+            'id'   => $comment->id,
+            'html' => $expected,
+        ]);
+    }
+
     public function test_reply_comments_are_nested()
     {
         $this->asAdmin();