X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/5e47db9356e0881d0b0cf5135d6e63a64bcde545..b8c55c4db282c87e3bada4491329ac3c940ff28d:/t/htmlize.t?ds=sidebyside diff --git a/t/htmlize.t b/t/htmlize.t index 9e2e3ec59..b19dbcf68 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 16; +use Test::More tests => 26; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -20,7 +20,6 @@ is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); -# embedded javascript sanitisation tests sub gotcha { my $html=IkiWiki::htmlize("foo", "mdwn", shift); return $html =~ /GOTCHA/; @@ -41,10 +40,31 @@ ok(!gotcha(q{GOTCHA}), "script tag"); +ok(!gotcha(q{
foo
}), + "form action with javascript"); +ok(!gotcha(q{}), + "video poster with javascript"); ok(!gotcha(q{a}), "CSS script test"); +ok(! gotcha(q{}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{}), "data:image/png"); +ok(gotcha(q{}), "data:image/gif"); +ok(gotcha(q{}), "data:image/jpeg"); ok(gotcha(q{

javascript:alert('GOTCHA')

}), "not javascript AFAIK (but perhaps some web browser would like to be perverse and assume it is?)"); ok(gotcha(q{}), "not javascript"); ok(gotcha(q{foo}), "not javascript"); +is(IkiWiki::htmlize("foo", "mdwn", + q{foo}), + q{foo}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{bar}), + q{bar}, "class attribute allowed");