X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/e9a19d587857ba5afcaa411718af61b62aaff1ac..refs/pull/5280/head:/tests/Entity/CommentTest.php

diff --git a/tests/Entity/CommentTest.php b/tests/Entity/CommentTest.php
index c080359bc..73136235c 100644
--- a/tests/Entity/CommentTest.php
+++ b/tests/Entity/CommentTest.php
@@ -18,10 +18,10 @@ class CommentTest extends TestCase
         $resp = $this->postJson("/comment/$page->id", $comment->getAttributes());
 
         $resp->assertStatus(200);
-        $resp->assertSee($comment->text);
+        $resp->assertSee($comment->html, false);
 
         $pageResp = $this->get($page->getUrl());
-        $pageResp->assertSee($comment->text);
+        $pageResp->assertSee($comment->html, false);
 
         $this->assertDatabaseHas('comments', [
             'local_id'    => 1,
@@ -82,11 +82,10 @@ class CommentTest extends TestCase
 
     public function test_scripts_cannot_be_injected_via_comment_html()
     {
-        $this->asAdmin();
         $page = $this->entities->page();
 
         $script = '<script>const a = "script";</script><p onclick="1">My lovely comment</p>';
-        $this->postJson("/comment/$page->id", [
+        $this->asAdmin()->postJson("/comment/$page->id", [
             'html' => $script,
         ]);
 
@@ -104,6 +103,43 @@ class CommentTest extends TestCase
         $pageView->assertSee('<p>My lovely comment</p><p>updated</p>');
     }
 
+    public function test_scripts_are_removed_even_if_already_in_db()
+    {
+        $page = $this->entities->page();
+        Comment::factory()->create([
+            'html' => '<script>superbadscript</script><p onclick="superbadonclick">scriptincommentest</p>',
+            'entity_type' => 'page', 'entity_id' => $page
+        ]);
+
+        $resp = $this->asAdmin()->get($page->getUrl());
+        $resp->assertSee('scriptincommentest', false);
+        $resp->assertDontSee('superbadscript', false);
+        $resp->assertDontSee('superbadonclick', false);
+    }
+
+    public function test_comment_html_is_limited()
+    {
+        $page = $this->entities->page();
+        $input = '<h1>Test</h1><p id="abc" href="beans">Content<a href="#cat" data-a="b">a</a><section>Hello</section></p>';
+        $expected = '<p>Content<a href="#cat">a</a></p>';
+
+        $resp = $this->asAdmin()->post("/comment/{$page->id}", ['html' => $input]);
+        $resp->assertOk();
+        $this->assertDatabaseHas('comments', [
+           'entity_type' => 'page',
+           'entity_id' => $page->id,
+           'html' => $expected,
+        ]);
+
+        $comment = $page->comments()->first();
+        $resp = $this->put("/comment/{$comment->id}", ['html' => $input]);
+        $resp->assertOk();
+        $this->assertDatabaseHas('comments', [
+            'id'   => $comment->id,
+            'html' => $expected,
+        ]);
+    }
+
     public function test_reply_comments_are_nested()
     {
         $this->asAdmin();