X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/e9a215982b6e522f21653d2d164abcb7246b0f77..26dbe8ba9a397d5d59af789c7ef3576ebdcf2db8:/t/htmlize.t?ds=inline diff --git a/t/htmlize.t b/t/htmlize.t index 670500a67..1569c8dcf 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 5; +use Test::More tests => 31; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -12,14 +12,74 @@ $config{srcdir}=$config{destdir}="/dev/null"; IkiWiki::loadplugins(); IkiWiki::checkconfig(); -is(IkiWiki::htmlize("foo", "mdwn", "foo\n\nbar\n"), "

foo

\n\n

bar

\n", +is(IkiWiki::htmlize("foo", "foo", "mdwn", "foo\n\nbar\n"), "

foo

\n\n

bar

\n", "basic"); -is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), - Encode::decode_utf8(qq{

o\nóóóóó

\n}), - "utf8; bug #373203"); -ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), +my $val=Encode::encode_utf8(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test1.mdwn"))); +ok($val =~/ó/ && $val =~/óóóóó/, "utf8; bug #373203"); +ok(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); -my $ret=IkiWiki::htmlize("foo", "mdwn", readfile("t/javascript.mdwn")); -ok($ret !~ /GOTCHA/, - "javascript.mdwn contains a number of attempts at getting - javascript that contains GOTCHA past the html sanitiser."); + +sub gotcha { + my $html=IkiWiki::htmlize("foo", "foo", "mdwn", shift); + return $html =~ /GOTCHA/; +} +ok(!gotcha(q{click me}), + "javascript url"); +ok(!gotcha(q{click me}), + "jscript url"); +ok(!gotcha(q{click me}), + "vbscrpt url"); +ok(!gotcha(q{click me}), + "java-tab-script url"); +ok(!gotcha(q{foo}), + "entity-encoded CSS script test"); +ok(!gotcha(q{foo}), + "another entity-encoded CSS script test"); +ok(!gotcha(q{}), + "script tag"); +ok(!gotcha(q{
foo
}), + "form action with javascript"); +ok(!gotcha(q{}), + "video poster with javascript"); +ok(!gotcha(q{a}), + "CSS script test"); +ok(! gotcha(q{}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{}), "data:image/png"); +ok(gotcha(q{}), "data:image/gif"); +ok(gotcha(q{}), "data:image/jpeg"); +ok(gotcha(q{

javascript:alert('GOTCHA')

}), + "not javascript AFAIK (but perhaps some web browser would like to + be perverse and assume it is?)"); +ok(gotcha(q{}), "not javascript"); +ok(gotcha(q{foo}), "not javascript"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{foo}), + q{foo}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{bar}), + q{bar}, "class attribute allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "simple anchor allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "colon allowed in anchor"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "colon allowed in query string"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "unknown protocol blocked"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "simple relative anchor allowed"); +is(IkiWiki::htmlize("foo", "foo", "mdwn", + q{}), + q{}, "colon in simple relative anchor allowed");