+ public function test_iframe_js_and_base64_urls_are_removed()
+ {
+ $checks = [
+ '<iframe src="javascript:alert(document.cookie)"></iframe>',
+ '<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
+ '<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+ '<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
+
+ ];
+
+ $this->asEditor();
+ $page = Page::first();
+
+ foreach ($checks as $check) {
+ $page->html = $check;
+ $page->save();
+
+ $pageView = $this->get($page->getUrl());
+ $pageView->assertStatus(200);
+ $pageView->assertElementNotContains('.page-content', '<iframe>');
+ $pageView->assertElementNotContains('.page-content', '</iframe>');
+ $pageView->assertElementNotContains('.page-content', 'src=');
+ $pageView->assertElementNotContains('.page-content', 'javascript:');
+ $pageView->assertElementNotContains('.page-content', 'data:');
+ $pageView->assertElementNotContains('.page-content', 'base64');
+ }
+
+ }
+