mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-05-04 18:08:46 +03:00
Page Content: Added form elements to filtering
Added and updated tests to cover. Also updated API auth to a narrower focus of existing session instead of also existing user auth. This is mainly for tests, to ensure they're following the session process we'd see for activity in the UI.
This commit is contained in:
Dan Brown
@@ -24,7 +24,8 @@ class ApiAuthTest extends TestCase
|
||||
|
||||
$this->actingAs($viewer, 'standard');
|
||||
|
||||
$resp = $this->get($this->endpoint);
|
||||
$this->startSession();
|
||||
$resp = $this->withCredentials()->get($this->endpoint);
|
||||
$resp->assertStatus(200);
|
||||
}
|
||||
|
||||
@@ -75,6 +76,7 @@ class ApiAuthTest extends TestCase
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$this->actingAs($editor, 'standard');
|
||||
$this->startSession();
|
||||
|
||||
$resp = $this->get($this->endpoint);
|
||||
$resp->assertStatus(200);
|
||||
@@ -116,6 +118,7 @@ class ApiAuthTest extends TestCase
|
||||
{
|
||||
$user = $this->users->admin();
|
||||
$this->actingAs($user, 'standard');
|
||||
$this->startSession();
|
||||
|
||||
$uriByMethods = [
|
||||
'POST' => '/books',
|
||||
|
||||
@@ -252,7 +252,7 @@ class ChaptersApiTest extends TestCase
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$this->permissions->removeUserRolePermissions($editor, ['chapter-delete-all', 'chapter-delete-own']);
|
||||
$this->actingAs($editor);
|
||||
$this->actingAsForApi($editor);
|
||||
$chapter = $this->entities->chapterHasPages();
|
||||
$newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ class RecycleBinApiTest extends TestCase
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$this->permissions->grantUserRolePermissions($editor, ['settings-manage']);
|
||||
$this->actingAs($editor);
|
||||
$this->actingAsForApi($editor);
|
||||
|
||||
foreach ($this->endpointMap as [$method, $uri]) {
|
||||
$resp = $this->json($method, $uri);
|
||||
@@ -36,7 +36,7 @@ class RecycleBinApiTest extends TestCase
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$this->permissions->grantUserRolePermissions($editor, ['restrictions-manage-all']);
|
||||
$this->actingAs($editor);
|
||||
$this->actingAsForApi($editor);
|
||||
|
||||
foreach ($this->endpointMap as [$method, $uri]) {
|
||||
$resp = $this->json($method, $uri);
|
||||
@@ -53,6 +53,7 @@ class RecycleBinApiTest extends TestCase
|
||||
$book = $this->entities->book();
|
||||
$this->actingAs($admin)->delete($page->getUrl());
|
||||
$this->delete($book->getUrl());
|
||||
$this->actingAsForApi($admin);
|
||||
|
||||
$deletions = Deletion::query()->orderBy('id')->get();
|
||||
|
||||
@@ -89,7 +90,7 @@ class RecycleBinApiTest extends TestCase
|
||||
|
||||
$deletion = Deletion::query()->orderBy('id')->first();
|
||||
|
||||
$resp = $this->getJson($this->baseEndpoint);
|
||||
$resp = $this->actingAsForApi($admin)->getJson($this->baseEndpoint);
|
||||
|
||||
$expectedData = [
|
||||
[
|
||||
@@ -115,6 +116,7 @@ class RecycleBinApiTest extends TestCase
|
||||
$this->actingAs($admin)->delete($page->getUrl());
|
||||
$deletion = Deletion::query()->orderBy('id')->first();
|
||||
|
||||
$this->actingAsForApi($admin);
|
||||
$resp = $this->getJson($this->baseEndpoint);
|
||||
|
||||
$expectedData = [
|
||||
@@ -141,6 +143,7 @@ class RecycleBinApiTest extends TestCase
|
||||
$page = $this->entities->page();
|
||||
$this->asAdmin()->delete($page->getUrl());
|
||||
$page->refresh();
|
||||
$this->actingAsApiAdmin();
|
||||
|
||||
$deletion = Deletion::query()->orderBy('id')->first();
|
||||
|
||||
@@ -165,6 +168,7 @@ class RecycleBinApiTest extends TestCase
|
||||
$page = $this->entities->page();
|
||||
$this->asAdmin()->delete($page->getUrl());
|
||||
$page->refresh();
|
||||
$this->actingAsApiAdmin();
|
||||
|
||||
$deletion = Deletion::query()->orderBy('id')->first();
|
||||
|
||||
|
||||
@@ -80,7 +80,7 @@ class UsersApiTest extends TestCase
|
||||
/** @var ActivityModel $activity */
|
||||
$activity = ActivityModel::query()->where('user_id', '=', $user->id)->latest()->first();
|
||||
|
||||
$resp = $this->asAdmin()->getJson($this->baseEndpoint . '?filter[id]=3');
|
||||
$resp = $this->actingAsApiAdmin()->getJson($this->baseEndpoint . '?filter[id]=3');
|
||||
$resp->assertJson(['data' => [
|
||||
[
|
||||
'id' => $user->id,
|
||||
|
||||
@@ -208,11 +208,11 @@ class PageContentTest extends TestCase
|
||||
public function test_form_actions_with_javascript_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<form><input id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><input></form>',
|
||||
'<form ><button id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</button></form>',
|
||||
'<form ><button id="xss" formaction=javascript:alert(document.domain)>Click me</button></form>',
|
||||
'<form id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></form>',
|
||||
'<form id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></form>',
|
||||
'<customform><custominput id="xss" type=submit formaction=javascript:alert(document.domain) value=Submit><custominput></customform>',
|
||||
'<customform ><custombutton id="xss" formaction="JaVaScRiPt:alert(document.domain)">Click me</custombutton></customform>',
|
||||
'<customform ><custombutton id="xss" formaction=javascript:alert(document.domain)>Click me</custombutton></customform>',
|
||||
'<customform id="xss" action=javascript:alert(document.domain)><input type=submit value=Submit></customform>',
|
||||
'<customform id="xss" action="JaVaScRiPt:alert(document.domain)"><input type=submit value=Submit></customform>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
@@ -224,11 +224,101 @@ class PageContentTest extends TestCase
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<button id="xss"');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<input id="xss"');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', '<form id="xss"');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'action=javascript:');
|
||||
$this->withHtml($pageView)->assertElementNotContains('.page-content', 'formaction=javascript:');
|
||||
$pageView->assertDontSee('id="xss"', false);
|
||||
$pageView->assertDontSee('action=javascript:', false);
|
||||
$pageView->assertDontSee('action=JaVaScRiPt:', false);
|
||||
$pageView->assertDontSee('formaction=javascript:', false);
|
||||
$pageView->assertDontSee('formaction=JaVaScRiPt:', false);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_elements_are_removed()
|
||||
{
|
||||
$checks = [
|
||||
'<p>thisisacattofind</p><form>thisdogshouldnotbefound</form>',
|
||||
'<p>thisisacattofind</p><input type="text" value="thisdogshouldnotbefound">',
|
||||
'<p>thisisacattofind</p><select><option>thisdogshouldnotbefound</option></select>',
|
||||
'<p>thisisacattofind</p><textarea>thisdogshouldnotbefound</textarea>',
|
||||
'<p>thisisacattofind</p><fieldset>thisdogshouldnotbefound</fieldset>',
|
||||
'<p>thisisacattofind</p><button>thisdogshouldnotbefound</button>',
|
||||
'<p>thisisacattofind</p><BUTTON>thisdogshouldnotbefound</BUTTON>',
|
||||
<<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>thisisacattofind</p>
|
||||
<form>
|
||||
<p>thisdogshouldnotbefound</p>
|
||||
</form>
|
||||
<input type="text" placeholder="thisdogshouldnotbefound" />
|
||||
<button type="submit">thisdogshouldnotbefound</button>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE
|
||||
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$pageView->assertDontSee('thisdogshouldnotbefound');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_form_attributes_are_removed()
|
||||
{
|
||||
$withinSvgSample = <<<'TESTCASE'
|
||||
<svg width="200" height="100" xmlns="http://www.w3.org/2000/svg">
|
||||
<foreignObject width="100%" height="100%">
|
||||
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
<p formaction="a">thisisacattofind</p>
|
||||
</body>
|
||||
|
||||
</foreignObject>
|
||||
</svg>
|
||||
TESTCASE;
|
||||
|
||||
$checks = [
|
||||
'formaction' => '<p formaction="a">thisisacattofind</p>',
|
||||
'form' => '<p form="a">thisisacattofind</p>',
|
||||
'formmethod' => '<p formmethod="a">thisisacattofind</p>',
|
||||
'formtarget' => '<p formtarget="a">thisisacattofind</p>',
|
||||
'FORMTARGET' => '<p FORMTARGET="a">thisisacattofind</p>',
|
||||
];
|
||||
|
||||
$this->asEditor();
|
||||
$page = $this->entities->page();
|
||||
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$page->html = $check;
|
||||
$page->save();
|
||||
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
|
||||
$page->html = $withinSvgSample;
|
||||
$page->save();
|
||||
$pageView = $this->get($page->getUrl());
|
||||
$pageView->assertStatus(200);
|
||||
$html = $this->withHtml($pageView);
|
||||
foreach ($checks as $attribute => $check) {
|
||||
$pageView->assertSee('thisisacattofind');
|
||||
$html->assertElementNotExists(".page-content [{$attribute}]");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user