X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/e9a215982b6e522f21653d2d164abcb7246b0f77..9a9b25346dbf380e955ffa815bbe6f6d4ac9c5a6:/t/htmlize.t?ds=inline
diff --git a/t/htmlize.t b/t/htmlize.t
index 670500a67..a7e7f8c39 100755
--- a/t/htmlize.t
+++ b/t/htmlize.t
@@ -1,7 +1,7 @@
#!/usr/bin/perl
use warnings;
use strict;
-use Test::More tests => 5;
+use Test::More tests => 26;
use Encode;
BEGIN { use_ok("IkiWiki"); }
@@ -12,14 +12,59 @@ $config{srcdir}=$config{destdir}="/dev/null";
IkiWiki::loadplugins();
IkiWiki::checkconfig();
-is(IkiWiki::htmlize("foo", "mdwn", "foo\n\nbar\n"), "foo
\n\nbar
\n",
+is(IkiWiki::htmlize("foo", "foo", "mdwn", "foo\n\nbar\n"), "foo
\n\nbar
\n",
"basic");
-is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")),
+is(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test1.mdwn")),
Encode::decode_utf8(qq{
\nóóóóó
\n}),
"utf8; bug #373203");
-ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")),
+ok(IkiWiki::htmlize("foo", "foo", "mdwn", readfile("t/test2.mdwn")),
"this file crashes markdown if it's fed in as decoded utf-8");
-my $ret=IkiWiki::htmlize("foo", "mdwn", readfile("t/javascript.mdwn"));
-ok($ret !~ /GOTCHA/,
- "javascript.mdwn contains a number of attempts at getting
- javascript that contains GOTCHA past the html sanitiser.");
+
+sub gotcha {
+ my $html=IkiWiki::htmlize("foo", "foo", "mdwn", shift);
+ return $html =~ /GOTCHA/;
+}
+ok(!gotcha(q{click me}),
+ "javascript url");
+ok(!gotcha(q{click me}),
+ "partially encoded javascript url");
+ok(!gotcha(q{click me}),
+ "jscript url");
+ok(!gotcha(q{click me}),
+ "vbscrpt url");
+ok(!gotcha(q{click me}),
+ "java-tab-script url");
+ok(!gotcha(q{foo}),
+ "entity-encoded CSS script test");
+ok(!gotcha(q{foo}),
+ "another entity-encoded CSS script test");
+ok(!gotcha(q{}),
+ "script tag");
+ok(!gotcha(q{}),
+ "form action with javascript");
+ok(!gotcha(q{}),
+ "video poster with javascript");
+ok(!gotcha(q{a}),
+ "CSS script test");
+ok(! gotcha(q{
}),
+ "data:text/javascript (jeez!)");
+ok(gotcha(q{
}), "data:image/png");
+ok(gotcha(q{
}), "data:image/gif");
+ok(gotcha(q{
}), "data:image/jpeg");
+ok(gotcha(q{javascript:alert('GOTCHA')
}),
+ "not javascript AFAIK (but perhaps some web browser would like to
+ be perverse and assume it is?)");
+ok(gotcha(q{
}), "not javascript");
+ok(gotcha(q{foo}), "not javascript");
+is(IkiWiki::htmlize("foo", "foo", "mdwn",
+ q{
}),
+ q{}, "img with alt tag allowed");
+is(IkiWiki::htmlize("foo", "foo", "mdwn",
+ q{}),
+ q{}, "absolute url allowed");
+is(IkiWiki::htmlize("foo", "foo", "mdwn",
+ q{}),
+ q{}, "relative url allowed");
+is(IkiWiki::htmlize("foo", "foo", "mdwn",
+ q{bar}),
+ q{bar}, "class attribute allowed");