12d3b082eSMichael Große<?php 22d3b082eSMichael Große 32d3b082eSMichael Großeclass html_scedit_pattern_test extends DokuWikiTest { 42d3b082eSMichael Große 52d3b082eSMichael Große 62d3b082eSMichael Große public function dataProviderForTestSecEditPattern() { 72d3b082eSMichael Große return [ 82d3b082eSMichael Große [ 9ec57f119SLarsDW223 '<!-- EDIT{"target":"SECTION","name":"Plugins","hid":"plugins","codeblockOffset":0,"secid":5,"range":"1406-"} -->', 102d3b082eSMichael Große [ 11ec57f119SLarsDW223 'secid' => 5, 122d3b082eSMichael Große 'target' => 'SECTION', 132d3b082eSMichael Große 'name' => 'Plugins', 142d3b082eSMichael Große 'hid' => 'plugins', 152d3b082eSMichael Große 'range' => '1406-', 162d3b082eSMichael Große ], 172d3b082eSMichael Große 'basic section edit', 182d3b082eSMichael Große ], 192d3b082eSMichael Große [ 20ec57f119SLarsDW223 '<!-- EDIT{"target":"TABLE","name":"","hid":"table4","codeblockOffset":0,"secid":10,"range":"11908-14014"} -->', 212d3b082eSMichael Große [ 22ec57f119SLarsDW223 'secid' => 10, 232d3b082eSMichael Große 'target' => 'TABLE', 242d3b082eSMichael Große 'name' => '', 252d3b082eSMichael Große 'hid' => 'table4', 262d3b082eSMichael Große 'range' => '11908-14014', 272d3b082eSMichael Große ], 282d3b082eSMichael Große 'table edit' 292d3b082eSMichael Große ], 302d3b082eSMichael Große [ 31ec57f119SLarsDW223 '<!-- EDIT{"target":"PLUGIN_DATA","name":"","hid":"","codeblockOffset":0,"secid":2,"range":"27-432"} -->', 322d3b082eSMichael Große [ 33ec57f119SLarsDW223 'secid' => 2, 342d3b082eSMichael Große 'target' => 'PLUGIN_DATA', 352d3b082eSMichael Große 'name' => '', 362d3b082eSMichael Große 'hid' => '', 372d3b082eSMichael Große 'range' => '27-432', 382d3b082eSMichael Große ], 392d3b082eSMichael Große 'data plugin' 402d3b082eSMichael Große ], 412d3b082eSMichael Große ]; 422d3b082eSMichael Große } 432d3b082eSMichael Große 442d3b082eSMichael Große /** 452d3b082eSMichael Große * @dataProvider dataProviderForTestSecEditPattern 462d3b082eSMichael Große * 472d3b082eSMichael Große * @param $text 482d3b082eSMichael Große * @param $expectedMatches 492d3b082eSMichael Große * @param $msg 502d3b082eSMichael Große */ 512d3b082eSMichael Große public function testSecEditPattern($text, $expectedMatches, $msg) { 522d3b082eSMichael Große preg_match(SEC_EDIT_PATTERN, $text, $matches); 53ec57f119SLarsDW223 $data = json_decode($matches[1], true); 542d3b082eSMichael Große foreach ($expectedMatches as $key => $expected_value) { 55ec57f119SLarsDW223 $this->assertSame($expected_value, $data[$key], $msg); 562d3b082eSMichael Große } 572d3b082eSMichael Große } 582d3b082eSMichael Große 59*ada0d779SMichael Hamann public function testSecEditHTMLInjection() { 60*ada0d779SMichael Hamann $ins = p_get_instructions("====== Foo ======\n\n===== } --> <script> =====\n\n===== Bar =====\n"); 61*ada0d779SMichael Hamann $info = array(); 62*ada0d779SMichael Hamann $xhtml = p_render('xhtml', $ins, $info); 63*ada0d779SMichael Hamann 64*ada0d779SMichael Hamann $this->assertNotNull($xhtml); 65*ada0d779SMichael Hamann 66*ada0d779SMichael Hamann $xhtml_without_secedit = html_secedit($xhtml, false); 67*ada0d779SMichael Hamann 68*ada0d779SMichael Hamann $this->assertFalse(strpos($xhtml_without_secedit, '<script>'), 'Plain <script> tag found in output - HTML/JS injection might be possible!'); 69*ada0d779SMichael Hamann } 702d3b082eSMichael Große} 71