starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-05-04 18:08:46 +03:00
Code Issues 784 Packages Projects Releases 15 Wiki Activity

Content: Updated tests and CSP usage of content script setting

Browse Source 
Updates CSP to use new content_filtering option.
Splits out content filtering tests to their own class.
Updated tests where needed to adapt to changes.
This commit is contained in:
Dan Brown
2026-02-15 18:44:14 +00:00
parent 227027fc45
commit 035be66ebc
7 changed files with 368 additions and 354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Entities/Tools/PageContent.php
View File

@@ -339,7 +339,7 @@ class PageContent
{
$contentHash = md5($html);
$contentId = $this->page->id;
$contentTime = $this->page->updated_at->timestamp;
$contentTime = $this->page->updated_at?->timestamp ?? time();
$appVersion = AppVersion::get();
return "page-content-cache::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
}

2
app/Theming/CustomHtmlHeadContentProvider.php
View File

@@ -41,7 +41,7 @@ class CustomHtmlHeadContentProvider
$hash = md5($content);
return $this->cache->remember('custom-head-export:' . $hash, 86400, function () use ($content) {
$config = new HtmlContentFilterConfig(filterOutNonContentElements: false);
$config = new HtmlContentFilterConfig(filterOutNonContentElements: false, useAllowListFilter: false);
return (new HtmlContentFilter($config))->filterString($content);
});
}

2
app/Util/ConfiguredHtmlPurifier.php
View File

@@ -62,7 +62,7 @@ class ConfiguredHtmlPurifier
$config->set('Attr.EnableID', true);
$config->set('Attr.ID.HTML5', true);
$config->set('Output.FixInnerHTML', false);
$config->set('URI.SafeIframeRegexp', '%^(http://|https://)%');
$config->set('URI.SafeIframeRegexp', '%^(http://|https://|//)%');
$config->set('URI.AllowedSchemes', [
'http' => true,
'https' => true,

9
app/Util/CspService.php
View File

@@ -65,7 +65,7 @@ class CspService
*/
protected function getScriptSrc(): string
{
if (config('app.allow_content_scripts')) {
if ($this->scriptFilteringDisabled()) {
return '';
}
@@ -108,7 +108,7 @@ class CspService
*/
protected function getObjectSrc(): string
{
if (config('app.allow_content_scripts')) {
if ($this->scriptFilteringDisabled()) {
return '';
}
@@ -124,6 +124,11 @@ class CspService
return "base-uri 'self'";
}
protected function scriptFilteringDisabled(): bool
{
return !HtmlContentFilterConfig::fromConfigString(config('app.content_filtering'))->filterOutJavaScript;
}
protected function getAllowedIframeHosts(): array
{
$hosts = config('app.iframe_hosts') ?? '';

353
tests/Entity/PageContentFilteringTest.php Normal file
View File

@@ -0,0 +1,353 @@
<?php
namespace Entity;
use Tests\TestCase;
class PageContentFilteringTest extends TestCase
{
public function test_page_content_scripts_removed_by_default()
{
$this->asEditor();
$page = $this->entities->page();
$script = 'abc123<script>console.log("hello-test")</script>abc123';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee($script, false);
$pageView->assertSee('abc123abc123');
}
public function test_more_complex_content_script_escaping_scenarios()
{
$checks = [
"<p>Some script</p><script>alert('cat')</script>",
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
"<p>Some script<script>alert('cat')</script></p>",
"<p>Some script <div><script>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
}
}
public function test_js_and_base64_src_urls_are_removed()
{
$checks = [
'<iframe src="javascript:alert(document.cookie)"></iframe>',
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
'<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
'<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<img src="javascript:alert(document.cookie)"/>',
'<img src="JavAScRipT:alert(document.cookie)"/>',
'<img src="JavAScRipT:alert(document.cookie)"/>',
'<img SRC=" javascript: alert(document.cookie)"/>',
'<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
'<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
'<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
$html->assertElementNotContains('.page-content', '<iframe>');
$html->assertElementNotContains('.page-content', '<img');
$html->assertElementNotContains('.page-content', '</iframe>');
$html->assertElementNotContains('.page-content', 'src=');
$html->assertElementNotContains('.page-content', 'javascript:');
$html->assertElementNotContains('.page-content', 'data:');
$html->assertElementNotContains('.page-content', 'base64');
}
}
public function test_javascript_uri_links_are_removed()
{
$checks = [
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
'<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
'<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
}
}
public function test_form_actions_with_javascript_are_removed()
{
$checks = [
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
'<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
'<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
'<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee('id="xss"', false);
$pageView->assertDontSee('action=javascript:', false);
$pageView->assertDontSee('action=JaVaScRiPt:', false);
$pageView->assertDontSee('formaction=javascript:', false);
$pageView->assertDontSee('formaction=JaVaScRiPt:', false);
}
}
public function test_form_elements_are_removed()
{
$checks = [
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
'<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
'<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
'<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
'<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
'<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
<<<'TESTCASE'
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<p>thisisacattofind</p>
<form>
<p>thisdogshouldnotbefound</p>
</form>
<input type="text" placeholder="thisdogshouldnotbefound" />
<button type="submit">thisdogshouldnotbefound</button>
</body>
</foreignObject>
</svg>
TESTCASE
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertSee('thisisacattofind');
$pageView->assertDontSee('thisdogshouldnotbefound');
}
}
public function test_form_attributes_are_removed()
{
$withinSvgSample = <<<'TESTCASE'
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<p formaction="a">thisisacattofind</p>
<p formaction="a">thisisacattofind</p>
</body>
</foreignObject>
</svg>
TESTCASE;
$checks = [
'formaction' => '<p formaction="a">thisisacattofind</p>',
'form' => '<p form="a">thisisacattofind</p>',
'formmethod' => '<p formmethod="a">thisisacattofind</p>',
'formtarget' => '<p formtarget="a">thisisacattofind</p>',
'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $attribute => $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertSee('thisisacattofind');
$this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
}
$page->html = $withinSvgSample;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
foreach ($checks as $attribute => $check) {
$pageView->assertSee('thisisacattofind');
$html->assertElementNotExists(".page-content [{$attribute}]");
}
}
public function test_metadata_redirects_are_removed()
{
$checks = [
'<meta http-equiv="refresh" content="0; url=//external_url">',
'<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
'<meta http-equiv="refresh" content="0; UrL=//external_url">',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
}
}
public function test_page_inline_on_attributes_removed_by_default()
{
$this->asEditor();
$page = $this->entities->page();
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee($script, false);
$pageView->assertSee('<p>Hello</p>', false);
}
public function test_more_complex_inline_on_attributes_escaping_scenarios()
{
$checks = [
'<p onclick="console.log(\'test\')">Hello</p>',
'<p OnCliCk="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
'<a a="<img src=1 onerror=\'alert(1)\'> ',
'\<a onclick="alert(document.cookie)"\>xss link\</a\>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
}
}
public function test_page_content_scripts_show_with_filters_disabled()
{
$this->asEditor();
$page = $this->entities->page();
config()->set('app.content_filtering', '');
$script = 'abc123<script>console.log("hello-test")</script>abc123';
$page->html = "no escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script, false);
$pageView->assertDontSee('abc123abc123');
}
public function test_svg_script_usage_is_removed()
{
$checks = [
'<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
'<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
'<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
'<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
'<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
'<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
'<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
$html->assertElementNotContains('.page-content', 'alert');
$html->assertElementNotContains('.page-content', 'xlink:href');
$html->assertElementNotContains('.page-content', 'application/xml');
$html->assertElementNotContains('.page-content', 'javascript');
}
}
public function test_page_inline_on_attributes_show_with_filters_disabled()
{
$this->asEditor();
$page = $this->entities->page();
config()->set('app.content_filtering', '');
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script, false);
$pageView->assertDontSee('<p>Hello</p>', false);
}
}

348
tests/Entity/PageContentTest.php
View File

@@ -101,351 +101,6 @@ class PageContentTest extends TestCase
$pageResp->assertSee('Hello Barry');
}
public function test_page_content_scripts_removed_by_default()
{
$this->asEditor();
$page = $this->entities->page();
$script = 'abc123<script>console.log("hello-test")</script>abc123';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee($script, false);
$pageView->assertSee('abc123abc123');
}
public function test_more_complex_content_script_escaping_scenarios()
{
$checks = [
"<p>Some script</p><script>alert('cat')</script>",
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
"<p>Some script<script>alert('cat')</script></p>",
"<p>Some script <div><script>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script></div></p>",
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<script>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</script>');
}
}
public function test_js_and_base64_src_urls_are_removed()
{
$checks = [
'<iframe src="javascript:alert(document.cookie)"></iframe>',
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
'<iframe src="JavAScRipT:alert(document.cookie)"></iframe>',
'<iframe SRC=" javascript: alert(document.cookie)"></iframe>',
'<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<iframe src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<iframe src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg==" frameborder="0"></iframe>',
'<img src="javascript:alert(document.cookie)"/>',
'<img src="JavAScRipT:alert(document.cookie)"/>',
'<img src="JavAScRipT:alert(document.cookie)"/>',
'<img SRC=" javascript: alert(document.cookie)"/>',
'<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<img src="DaTa:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<img src=" data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGVsbG8nKTwvc2NyaXB0Pg=="/>',
'<iframe srcdoc="<script>window.alert(document.cookie)</script>"></iframe>',
'<iframe SRCdoc="<script>window.alert(document.cookie)</script>"></iframe>',
'<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
$html->assertElementNotContains('.page-content', '<iframe>');
$html->assertElementNotContains('.page-content', '<img');
$html->assertElementNotContains('.page-content', '</iframe>');
$html->assertElementNotContains('.page-content', 'src=');
$html->assertElementNotContains('.page-content', 'javascript:');
$html->assertElementNotContains('.page-content', 'data:');
$html->assertElementNotContains('.page-content', 'base64');
}
}
public function test_javascript_uri_links_are_removed()
{
$checks = [
'<a id="xss" href="javascript:alert(document.cookie)>Click me</a>',
'<a id="xss" href="javascript: alert(document.cookie)>Click me</a>',
'<a id="xss" href="JaVaScRiPt: alert(document.cookie)>Click me</a>',
'<a id="xss" href=" JaVaScRiPt: alert(document.cookie)>Click me</a>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<a id="xss"');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:');
}
}
public function test_form_actions_with_javascript_are_removed()
{
$checks = [
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
'<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
'<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
'<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee('id="xss"', false);
$pageView->assertDontSee('action=javascript:', false);
$pageView->assertDontSee('action=JaVaScRiPt:', false);
$pageView->assertDontSee('formaction=javascript:', false);
$pageView->assertDontSee('formaction=JaVaScRiPt:', false);
}
}
public function test_form_elements_are_removed()
{
$checks = [
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
'<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
'<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
'<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
'<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
'<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
<<<'TESTCASE'
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<p>thisisacattofind</p>
<form>
<p>thisdogshouldnotbefound</p>
</form>
<input type="text" placeholder="thisdogshouldnotbefound" />
<button type="submit">thisdogshouldnotbefound</button>
</body>
</foreignObject>
</svg>
TESTCASE
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertSee('thisisacattofind');
$pageView->assertDontSee('thisdogshouldnotbefound');
}
}
public function test_form_attributes_are_removed()
{
$withinSvgSample = <<<'TESTCASE'
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<p formaction="a">thisisacattofind</p>
<p formaction="a">thisisacattofind</p>
</body>
</foreignObject>
</svg>
TESTCASE;
$checks = [
'formaction' => '<p formaction="a">thisisacattofind</p>',
'form' => '<p form="a">thisisacattofind</p>',
'formmethod' => '<p formmethod="a">thisisacattofind</p>',
'formtarget' => '<p formtarget="a">thisisacattofind</p>',
'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $attribute => $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertSee('thisisacattofind');
$this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
}
$page->html = $withinSvgSample;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
foreach ($checks as $attribute => $check) {
$pageView->assertSee('thisisacattofind');
$html->assertElementNotExists(".page-content [{$attribute}]");
}
}
public function test_metadata_redirects_are_removed()
{
$checks = [
'<meta http-equiv="refresh" content="0; url=//external_url">',
'<meta http-equiv="refresh" ConTeNt="0; url=//external_url">',
'<meta http-equiv="refresh" content="0; UrL=//external_url">',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<meta>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', '</meta>');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'content=');
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url');
}
}
public function test_page_inline_on_attributes_removed_by_default()
{
$this->asEditor();
$page = $this->entities->page();
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$pageView->assertDontSee($script, false);
$pageView->assertSee('<p>Hello</p>', false);
}
public function test_more_complex_inline_on_attributes_escaping_scenarios()
{
$checks = [
'<p onclick="console.log(\'test\')">Hello</p>',
'<p OnCliCk="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
'<a a="<img src=1 onerror=\'alert(1)\'> ',
'\<a onclick="alert(document.cookie)"\>xss link\</a\>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick');
}
}
public function test_page_content_scripts_show_when_configured()
{
$this->asEditor();
$page = $this->entities->page();
config()->set('app.allow_content_scripts', 'true');
$script = 'abc123<script>console.log("hello-test")</script>abc123';
$page->html = "no escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script, false);
$pageView->assertDontSee('abc123abc123');
}
public function test_svg_script_usage_is_removed()
{
$checks = [
'<svg id="test" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"><a xlink:href="javascript:alert(document.domain)"><rect x="0" y="0" width="100" height="100" /></a></svg>',
'<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><use xlink:href="data:application/xml;base64 ,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9IjAiIGN4PSIwIiBjeT0iMCIgc3R5bGU9ImZpbGw6ICNGMDAiPgo8c2V0IGF0dHJpYnV0ZU5hbWU9ImZpbGwiIGF0dHJpYnV0ZVR5cGU9IkNTUyIgb25iZWdpbj0nYWxlcnQoZG9jdW1lbnQuZG9tYWluKScKb25lbmQ9J2FsZXJ0KCJvbmVuZCIpJyB0bz0iIzAwRiIgYmVnaW49IjBzIiBkdXI9Ijk5OXMiIC8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/></svg>',
'<svg><animate href=#xss attributeName=href values=javascript:alert(1) /></svg>',
'<svg><animate href="#xss" attributeName="href" values="a;javascript:alert(1)" /></svg>',
'<svg><animate href="#xss" attributeName="href" values="a;data:alert(1)" /></svg>',
'<svg><animate href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>',
'<svg><set href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>',
'<svg><g><g><g><animate href=#xss attributeName=href values=javascript:alert(1) /></g></g></g></svg>',
];
$this->asEditor();
$page = $this->entities->page();
foreach ($checks as $check) {
$page->html = $check;
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertStatus(200);
$html = $this->withHtml($pageView);
$html->assertElementNotContains('.page-content', 'alert');
$html->assertElementNotContains('.page-content', 'xlink:href');
$html->assertElementNotContains('.page-content', 'application/xml');
$html->assertElementNotContains('.page-content', 'javascript');
}
}
public function test_page_inline_on_attributes_show_if_configured()
{
$this->asEditor();
$page = $this->entities->page();
config()->set('app.allow_content_scripts', 'true');
$script = '<p onmouseenter="console.log(\'test\')">Hello</p>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script, false);
$pageView->assertDontSee('<p>Hello</p>', false);
}
public function test_duplicate_ids_does_not_break_page_render()
{
$this->asEditor();
@@ -649,6 +304,7 @@ TESTCASE;
public function test_page_markdown_single_html_comment_saving()
{
config()->set('app.content_filtering', 'jfh');
$this->asEditor();
$page = $this->entities->page();
@@ -656,7 +312,7 @@ TESTCASE;
$this->put($page->getUrl(), [
'name' => $page->name, 'markdown' => $content,
'html' => '', 'summary' => '',
]);
])->assertRedirect();
$page->refresh();
$this->assertStringMatchesFormat($content, $page->html);

6
tests/SecurityHeaderTest.php
View File

@@ -93,14 +93,14 @@ class SecurityHeaderTest extends TestCase
$this->assertNotEquals($firstHeader, $secondHeader);
}
public function test_allow_content_scripts_settings_controls_csp_script_headers()
public function test_content_filtering_config_controls_csp_script_headers()
{
config()->set('app.allow_content_scripts', true);
config()->set('app.content_filtering', '');
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'script-src');
$this->assertEmpty($scriptHeader);
config()->set('app.allow_content_scripts', false);
config()->set('app.content_filtering', 'j');
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'script-src');
$this->assertNotEmpty($scriptHeader);