41 lines
1.4 KiB
PHP
41 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace space_profiles;
|
|
|
|
use humhub\modules\space_profiles\helpers\ProfileHtmlSanitizer;
|
|
|
|
class ProfileHtmlSanitizerTest extends UnitTester
|
|
{
|
|
public function testSanitizeRemovesScriptsAndHandlers(): void
|
|
{
|
|
$input = '<script>alert(1)</script><div class="hdr" onclick="alert(2)">OK</div>';
|
|
|
|
$output = ProfileHtmlSanitizer::sanitize($input);
|
|
|
|
$this->assertStringNotContainsString('<script', $output);
|
|
$this->assertStringNotContainsString('onclick=', $output);
|
|
$this->assertStringContainsString('<div class="hdr">OK</div>', $output);
|
|
}
|
|
|
|
public function testSanitizeStripsJavascriptUris(): void
|
|
{
|
|
$input = '<a href="javascript:alert(1)">bad</a><a href="https://example.org">good</a>';
|
|
|
|
$output = ProfileHtmlSanitizer::sanitize($input);
|
|
|
|
$this->assertStringNotContainsString('javascript:', $output);
|
|
$this->assertStringContainsString('https://example.org', $output);
|
|
}
|
|
|
|
public function testSanitizeScopesEmbeddedCss(): void
|
|
{
|
|
$input = '<style>body{color:red}.hdr{font-weight:bold}</style><div class="hdr">Title</div>';
|
|
|
|
$output = ProfileHtmlSanitizer::sanitize($input);
|
|
|
|
$this->assertStringContainsString('.rescue-profile-scope', $output);
|
|
$this->assertStringContainsString('.rescue-profile-scope .hdr', $output);
|
|
$this->assertStringNotContainsString('<style>body{color:red}', $output);
|
|
}
|
|
}
|