Commit | Line | Data |
---|---|---|
202c4d52 | 1 | #!/usr/bin/perl |
2 | use warnings; | |
3 | use strict; | |
7d29ba2f | 4 | use Test::More tests => 32; |
202c4d52 | 5 | use Encode; |
6 | ||
7 | BEGIN { use_ok("IkiWiki"); } | |
202c4d52 | 8 | |
9 | # Initialize htmlscrubber plugin | |
dae0f48e | 10 | %config=IkiWiki::defaultconfig(); |
11 | $config{srcdir}=$config{destdir}="/dev/null"; | |
a0653933 | 12 | IkiWiki::loadplugins(); |
202c4d52 | 13 | IkiWiki::checkconfig(); |
14 | ||
1dddec0b | 15 | is(IkiWiki::htmlize("foo", "foo", "mdwn", "foo\n\nbar\n"), "<p>foo</p>\n\n<p>bar</p>\n", |
202c4d52 | 16 | "basic"); |
1dddec0b | 17 | is(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test1.mdwn")), |
202c4d52 | 18 | Encode::decode_utf8(qq{<p><img src="../images/o.jpg" alt="o" title="ó" />\nóóóóó</p>\n}), |
19 | "utf8; bug #373203"); | |
1dddec0b | 20 | ok(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test2.mdwn")), |
bd1b505b | 21 | "this file crashes markdown if it's fed in as decoded utf-8"); |
5e47db93 | 22 | |
5e47db93 | 23 | sub gotcha { |
1dddec0b | 24 | my $html=IkiWiki::htmlize("foo", "foo", "mdwn", shift); |
5e47db93 JH |
25 | return $html =~ /GOTCHA/; |
26 | } | |
27 | ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), | |
28 | "javascript url"); | |
29 | ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), | |
30 | "partially encoded javascript url"); | |
31 | ok(!gotcha(q{<a href="jscript:alert('GOTCHA')">click me</a>}), | |
32 | "jscript url"); | |
33 | ok(!gotcha(q{<a href="vbscript:alert('GOTCHA')">click me</a>}), | |
34 | "vbscrpt url"); | |
35 | ok(!gotcha(q{<a href="java script:alert('GOTCHA')">click me</a>}), | |
36 | "java-tab-script url"); | |
37 | ok(!gotcha(q{<span style="any: expressio(GOTCHA)n(window.location='http://example.org/')">foo</span>}), | |
38 | "entity-encoded CSS script test"); | |
39 | ok(!gotcha(q{<span style="any: expression(GOTCHA)(window.location='http://example.org/')">foo</span>}), | |
40 | "another entity-encoded CSS script test"); | |
41 | ok(!gotcha(q{<script>GOTCHA</script>}), | |
42 | "script tag"); | |
d7e0c035 JH |
43 | ok(!gotcha(q{<form action="javascript:alert('GOTCHA')">foo</form>}), |
44 | "form action with javascript"); | |
45 | ok(!gotcha(q{<video poster="javascript:alert('GOTCHA')" href="foo.avi">foo</video>}), | |
46 | "video poster with javascript"); | |
5e47db93 JH |
47 | ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}), |
48 | "CSS script test"); | |
dfd6bb38 | 49 | ok(! gotcha(q{<img src="data:text/javascript;GOTCHA">}), |
d7e0c035 | 50 | "data:text/javascript (jeez!)"); |
dfd6bb38 JH |
51 | ok(gotcha(q{<img src="data:image/png;base64,GOTCHA">}), "data:image/png"); |
52 | ok(gotcha(q{<img src="data:image/gif;base64,GOTCHA">}), "data:image/gif"); | |
53 | ok(gotcha(q{<img src="data:image/jpeg;base64,GOTCHA">}), "data:image/jpeg"); | |
5e47db93 JH |
54 | ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}), |
55 | "not javascript AFAIK (but perhaps some web browser would like to | |
56 | be perverse and assume it is?)"); | |
57 | ok(gotcha(q{<img src="javascript.png?GOTCHA">}), "not javascript"); | |
58 | ok(gotcha(q{<a href="javascript.png?GOTCHA">foo</a>}), "not javascript"); | |
1dddec0b | 59 | is(IkiWiki::htmlize("foo", "foo", "mdwn", |
d7e0c035 JH |
60 | q{<img alt="foo" src="foo.gif">}), |
61 | q{<img alt="foo" src="foo.gif">}, "img with alt tag allowed"); | |
1dddec0b | 62 | is(IkiWiki::htmlize("foo", "foo", "mdwn", |
d7e0c035 JH |
63 | q{<a href="http://google.com/">}), |
64 | q{<a href="http://google.com/">}, "absolute url allowed"); | |
1dddec0b | 65 | is(IkiWiki::htmlize("foo", "foo", "mdwn", |
d7e0c035 JH |
66 | q{<a href="foo.html">}), |
67 | q{<a href="foo.html">}, "relative url allowed"); | |
1dddec0b | 68 | is(IkiWiki::htmlize("foo", "foo", "mdwn", |
d7e0c035 JH |
69 | q{<span class="foo">bar</span>}), |
70 | q{<span class="foo">bar</span>}, "class attribute allowed"); | |
7d29ba2f JH |
71 | is(IkiWiki::htmlize("foo", "foo", "mdwn", |
72 | q{<a href="aaa#foo">}), | |
73 | q{<a href="aaa#foo">}, "simple anchor allowed"); | |
74 | is(IkiWiki::htmlize("foo", "foo", "mdwn", | |
75 | q{<a href="aaa#foo:bar">}), | |
76 | q{<a href="aaa#foo:bar">}, "colon allowed in anchor"); | |
77 | is(IkiWiki::htmlize("foo", "foo", "mdwn", | |
78 | q{<a href="aaa?foo:bar">}), | |
79 | q{<a href="aaa?foo:bar">}, "colon allowed in query string"); | |
80 | is(IkiWiki::htmlize("foo", "foo", "mdwn", | |
81 | q{<a href="foo:bar">}), | |
82 | q{<a>}, "unknown protocol blocked"); | |
83 | is(IkiWiki::htmlize("foo", "foo", "mdwn", | |
84 | q{<a href="#foo">}), | |
85 | q{<a href="#foo">}, "simple relative anchor allowed"); | |
86 | is(IkiWiki::htmlize("foo", "foo", "mdwn", | |
87 | q{<a href="#foo:bar">}), | |
88 | q{<a href="#foo:bar">}, "colon in simple relative anchor allowed"); |