X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/6551c1e5609967c0c7f947fa0e9d85d24e454d37..34594fb89a78c26f934a03e06c1aebb097ad57d2:/t/htmlize.t diff --git a/t/htmlize.t b/t/htmlize.t index 687eb03a8..a7e7f8c39 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,21 +1,70 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 5; +use Test::More tests => 26; use Encode; BEGIN { use_ok("IkiWiki"); } -BEGIN { use_ok("IkiWiki::Render"); } # Initialize htmlscrubber plugin -%IkiWiki::config=IkiWiki::defaultconfig(); -$IkiWiki::config{srcdir}=$IkiWiki::config{destdir}="/dev/null"; +%config=IkiWiki::defaultconfig(); +$config{srcdir}=$config{destdir}="/dev/null"; +IkiWiki::loadplugins(); IkiWiki::checkconfig(); -is(IkiWiki::htmlize("mdwn", "foo\n\nbar\n"), "<p>foo</p>\n\n<p>bar</p>\n", +is(IkiWiki::htmlize("foo", "foo", "mdwn", "foo\n\nbar\n"), "<p>foo</p>\n\n<p>bar</p>\n", "basic"); -is(IkiWiki::htmlize("mdwn", IkiWiki::readfile("t/test1.mdwn")), +is(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test1.mdwn")), Encode::decode_utf8(qq{<p><img src="../images/o.jpg" alt="o" title="ó" />\nóóóóó</p>\n}), "utf8; bug #373203"); -ok(IkiWiki::htmlize("mdwn", IkiWiki::readfile("t/test2.mdwn")), +ok(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); + +sub gotcha { + my $html=IkiWiki::htmlize("foo", "foo", "mdwn", shift); + return $html =~ /GOTCHA/; +} +ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), + "javascript url"); +ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), + "partially encoded javascript url"); +ok(!gotcha(q{<a href="jscript:alert('GOTCHA')">click me</a>}), + "jscript url"); +ok(!gotcha(q{<a href="vbscript:alert('GOTCHA')">click me</a>}), + "vbscrpt url"); +ok(!gotcha(q{<a href="java script:alert('GOTCHA')">click me</a>}), + "java-tab-script url"); +ok(!gotcha(q{<span style="any: expressio(GOTCHA)n(window.location='http://example.org/')">foo</span>}), + "entity-encoded CSS script test"); +ok(!gotcha(q{<span style="any: expression(GOTCHA)(window.location='http://example.org/')">foo</span>}), + "another entity-encoded CSS script test"); +ok(!gotcha(q{<script>GOTCHA</script>}), + "script tag"); +ok(!gotcha(q{<form action="javascript:alert('GOTCHA')">foo</form>}), + "form action with javascript"); +ok(!gotcha(q{<video poster="javascript:alert('GOTCHA')" href="foo.avi">foo</video>}), + "video poster with javascript"); +ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}), + "CSS script test"); +ok(! gotcha(q{<img src="data:text/javascript;GOTCHA">}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{<img src="data:image/png;base64,GOTCHA">}), "data:image/png"); +ok(gotcha(q{<img src="data:image/gif;base64,GOTCHA">}), "data:image/gif"); +ok(gotcha(q{<img src="data:image/jpeg;base64,GOTCHA">}), "data:image/jpeg"); +ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}), + "not javascript AFAIK (but perhaps some web browser would like to + be perverse and assume it is?)"); +ok(gotcha(q{<img src="javascript.png?GOTCHA">}), "not javascript"); +ok(gotcha(q{<a href="javascript.png?GOTCHA">foo</a>}), "not javascript"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{<img alt="foo" src="foo.gif">}), + q{<img alt="foo" src="foo.gif">}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{<a href="http://google.com/">}), + q{<a href="http://google.com/">}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{<a href="foo.html">}), + q{<a href="foo.html">}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{<span class="foo">bar</span>}), + q{<span class="foo">bar</span>}, "class attribute allowed");