summaryrefslogtreecommitdiff
path: root/t/htmlize.t
blob: 9e2e3ec594eded64c1b9388c705db515583b89e1 (plain) 
    

  1. #!/usr/bin/perl
    2. 

  2. use warnings;
    3. 

  3. use strict;
    4. 

  4. use Test::More tests => 16;
    5. 

  5. use Encode;
    6. 

  6. 

  7. BEGIN { use_ok("IkiWiki"); }
    8. 

  8. 

  9. # Initialize htmlscrubber plugin
    10. 

  10. %config=IkiWiki::defaultconfig();
    11. 

  11. $config{srcdir}=$config{destdir}="/dev/null";
    12. 

  12. IkiWiki::loadplugins();
    13. 

  13. IkiWiki::checkconfig();
    14. 

  14. 

  15. is(IkiWiki::htmlize("foo", "mdwn", "foo\n\nbar\n"), "<p>foo</p>\n\n<p>bar</p>\n",
    16. 

  16.     "basic");
    17. 

  17. is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")),
    18. 

  18.     Encode::decode_utf8(qq{<p><img src="../images/o.jpg" alt="o" title="&oacute;" />\nóóóóó</p>\n}),
    19. 

  19.     "utf8; bug #373203");
    20. 

  20. ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")),
    21. 

  21.     "this file crashes markdown if it's fed in as decoded utf-8");
    22. 

  22. 

  23. # embedded javascript sanitisation tests
    24. 

  24. sub gotcha {
    25. 

  25.     my $html=IkiWiki::htmlize("foo", "mdwn", shift);
    26. 

  26.     return $html =~ /GOTCHA/;
    27. 

  27. }
    28. 

  28. ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}),
    29. 

  29.     "javascript url");
    30. 

  30. ok(!gotcha(q{<a href="javascript&#x3A;alert('GOTCHA')">click me</a>}),
    31. 

  31.     "partially encoded javascript url");
    32. 

  32. ok(!gotcha(q{<a href="jscript:alert('GOTCHA')">click me</a>}),
    33. 

  33.     "jscript url");
    34. 

  34. ok(!gotcha(q{<a href="vbscript:alert('GOTCHA')">click me</a>}),
    35. 

  35.     "vbscrpt url");
    36. 

  36. ok(!gotcha(q{<a href="java  script:alert('GOTCHA')">click me</a>}),
    37. 

  37.     "java-tab-script url");
    38. 

  38. ok(!gotcha(q{<span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;(GOTCHA)&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">foo</span>}),
    39. 

  39.     "entity-encoded CSS script test");
    40. 

  40. ok(!gotcha(q{<span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;(GOTCHA)&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">foo</span>}),
    41. 

  41.     "another entity-encoded CSS script test");
    42. 

  42. ok(!gotcha(q{<script>GOTCHA</script>}),
    43. 

  43.     "script tag");
    44. 

  44. ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}),
    45. 

  45.     "CSS script test");
    46. 

  46. ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}),
    47. 

  47.     "not javascript AFAIK (but perhaps some web browser would like to
    48. 

  48.     be perverse and assume it is?)");
    49. 

  49. ok(gotcha(q{<img src="javascript.png?GOTCHA">}), "not javascript");
    50. 

  50. ok(gotcha(q{<a href="javascript.png?GOTCHA">foo</a>}), "not javascript");
    51.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 02:56:51 +0000