1<?php 2 3class html_scedit_pattern_test extends DokuWikiTest { 4 5 6 public function dataProviderForTestSecEditPattern() { 7 return [ 8 [ 9 '<!-- EDIT{"target":"SECTION","name":"Plugins","hid":"plugins","codeblockOffset":0,"secid":5,"range":"1406-"} -->', 10 [ 11 'secid' => 5, 12 'target' => 'SECTION', 13 'name' => 'Plugins', 14 'hid' => 'plugins', 15 'range' => '1406-', 16 ], 17 'basic section edit', 18 ], 19 [ 20 '<!-- EDIT{"target":"TABLE","name":"","hid":"table4","codeblockOffset":0,"secid":10,"range":"11908-14014"} -->', 21 [ 22 'secid' => 10, 23 'target' => 'TABLE', 24 'name' => '', 25 'hid' => 'table4', 26 'range' => '11908-14014', 27 ], 28 'table edit' 29 ], 30 [ 31 '<!-- EDIT{"target":"PLUGIN_DATA","name":"","hid":"","codeblockOffset":0,"secid":2,"range":"27-432"} -->', 32 [ 33 'secid' => 2, 34 'target' => 'PLUGIN_DATA', 35 'name' => '', 36 'hid' => '', 37 'range' => '27-432', 38 ], 39 'data plugin' 40 ], 41 ]; 42 } 43 44 /** 45 * @dataProvider dataProviderForTestSecEditPattern 46 * 47 * @param $text 48 * @param $expectedMatches 49 * @param $msg 50 */ 51 public function testSecEditPattern($text, $expectedMatches, $msg) { 52 preg_match(SEC_EDIT_PATTERN, $text, $matches); 53 $data = json_decode($matches[1], true); 54 foreach ($expectedMatches as $key => $expected_value) { 55 $this->assertSame($expected_value, $data[$key], $msg); 56 } 57 } 58 59 public function testSecEditHTMLInjection() { 60 $ins = p_get_instructions("====== Foo ======\n\n===== } --> <script> =====\n\n===== Bar =====\n"); 61 $info = array(); 62 $xhtml = p_render('xhtml', $ins, $info); 63 64 $this->assertNotNull($xhtml); 65 66 $xhtml_without_secedit = html_secedit($xhtml, false); 67 68 $this->assertFalse(strpos($xhtml_without_secedit, '<script>'), 'Plain <script> tag found in output - HTML/JS injection might be possible!'); 69 } 70} 71