entities->page(); $secondPage = $this->entities->page(); $secondPage->html = "

Hello, This is a test

This is a second block of content

"; $secondPage->save(); $this->asEditor(); $pageContent = $this->get($page->getUrl()); $pageContent->assertDontSee('Hello, This is a test'); $originalHtml = $page->html; $page->html .= "{{@{$secondPage->id}}}"; $page->save(); $pageContent = $this->get($page->getUrl()); $pageContent->assertSee('Hello, This is a test'); $pageContent->assertSee('This is a second block of content'); $page->html = $originalHtml . " Well {{@{$secondPage->id}#section2}}"; $page->save(); $pageContent = $this->get($page->getUrl()); $pageContent->assertDontSee('Hello, This is a test'); $pageContent->assertSee('Well This is a second block of content'); } public function test_saving_page_with_includes() { $page = $this->entities->page(); $secondPage = $this->entities->page(); $this->asEditor(); $includeTag = '{{@' . $secondPage->id . '}}'; $page->html = '

' . $includeTag . '

'; $resp = $this->put($page->getUrl(), ['name' => $page->name, 'html' => $page->html, 'summary' => '']); $resp->assertStatus(302); $page = Page::find($page->id); $this->assertStringContainsString($includeTag, $page->html); $this->assertEquals('', $page->text); } public function test_page_includes_rendered_on_book_export() { $page = $this->entities->page(); $secondPage = Page::query() ->where('book_id', '!=', $page->book_id) ->first(); $content = '

my cat is awesome and scratchy

'; $secondPage->html = $content; $secondPage->save(); $page->html = "{{@{$secondPage->id}#bkmrk-meow}}"; $page->save(); $this->asEditor(); $htmlContent = $this->get($page->book->getUrl('/export/html')); $htmlContent->assertSee('my cat is awesome and scratchy'); } public function test_page_includes_can_be_nested_up_to_three_times() { $page = $this->entities->page(); $tag = "{{@{$page->id}#bkmrk-test}}"; $page->html = '

Hello Barry ' . $tag . '

'; $page->save(); $pageResp = $this->asEditor()->get($page->getUrl()); $this->withHtml($pageResp)->assertElementContains('#bkmrk-test', 'Hello Barry Hello Barry Hello Barry Hello Barry ' . $tag); $this->withHtml($pageResp)->assertElementNotContains('#bkmrk-test', 'Hello Barry Hello Barry Hello Barry Hello Barry Hello Barry ' . $tag); } public function test_page_includes_to_nonexisting_pages_does_not_error() { $page = $this->entities->page(); $missingId = Page::query()->max('id') + 1; $tag = "{{@{$missingId}}}"; $page->html = '

Hello Barry ' . $tag . '

'; $page->save(); $pageResp = $this->asEditor()->get($page->getUrl()); $pageResp->assertOk(); $pageResp->assertSee('Hello Barry'); } public function test_page_content_scripts_removed_by_default() { $this->asEditor(); $page = $this->entities->page(); $script = 'abc123abc123'; $page->html = "escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertDontSee($script, false); $pageView->assertSee('abc123abc123'); } public function test_more_complex_content_script_escaping_scenarios() { $checks = [ "

Some script

", "

Some script

", "

Some script

", "

Some script

", "

Some script

", "

Some script

", ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); } } public function test_js_and_base64_src_urls_are_removed() { $checks = [ '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $html = $this->withHtml($pageView); $html->assertElementNotContains('.page-content', ''); $html->assertElementNotContains('.page-content', 'src='); $html->assertElementNotContains('.page-content', 'javascript:'); $html->assertElementNotContains('.page-content', 'data:'); $html->assertElementNotContains('.page-content', 'base64'); } } public function test_javascript_uri_links_are_removed() { $checks = [ 'withHtml($pageView)->assertElementNotContains('.page-content', 'href=javascript:'); } } public function test_form_actions_with_javascript_are_removed() { $checks = [ '', 'Click me', 'Click me', '', '', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertDontSee('id="xss"', false); $pageView->assertDontSee('action=javascript:', false); $pageView->assertDontSee('action=JaVaScRiPt:', false); $pageView->assertDontSee('formaction=javascript:', false); $pageView->assertDontSee('formaction=JaVaScRiPt:', false); } } public function test_form_elements_are_removed() { $checks = [ '

thisisacattofind

thisdogshouldnotbefound
', '

thisisacattofind

', '

thisisacattofind

', '

thisisacattofind

', '

thisisacattofind

thisdogshouldnotbefound
', '

thisisacattofind

', '

thisisacattofind

', <<<'TESTCASE'

thisisacattofind

thisdogshouldnotbefound

 TESTCASE ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertSee('thisisacattofind'); $pageView->assertDontSee('thisdogshouldnotbefound'); } } public function test_form_attributes_are_removed() { $withinSvgSample = <<<'TESTCASE'

thisisacattofind

thisisacattofind

 TESTCASE; $checks = [ 'formaction' => '

thisisacattofind

', 'form' => '

thisisacattofind

', 'formmethod' => '

thisisacattofind

', 'formtarget' => '

thisisacattofind

', 'FORMTARGET' => '

thisisacattofind

', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $attribute => $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertSee('thisisacattofind'); $this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]"); } $page->html = $withinSvgSample; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $html = $this->withHtml($pageView); foreach ($checks as $attribute => $check) { $pageView->assertSee('thisisacattofind'); $html->assertElementNotExists(".page-content [{$attribute}]"); } } public function test_metadata_redirects_are_removed() { $checks = [ '', '', '', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content='); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url'); } } public function test_page_inline_on_attributes_removed_by_default() { $this->asEditor(); $page = $this->entities->page(); $script = '

Hello

'; $page->html = "escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertDontSee($script, false); $pageView->assertSee('

Hello

', false); } public function test_more_complex_inline_on_attributes_escaping_scenarios() { $checks = [ '

Hello

', '

Hello

', '
Lorem ipsum dolor sit amet.

Hello

', '
Lorem ipsum dolor sit amet.

Hello

', '
Lorem ipsum dolor sit amet.

Hello

', '
Lorem ipsum dolor sit amet.

Hello

', 'xss link\', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick'); } } public function test_page_content_scripts_show_when_configured() { $this->asEditor(); $page = $this->entities->page(); config()->set('app.allow_content_scripts', 'true'); $script = 'abc123abc123'; $page->html = "no escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertSee($script, false); $pageView->assertDontSee('abc123abc123'); } public function test_svg_script_usage_is_removed() { $checks = [ '', '', '', '', '', 'XSS', 'XSS', '', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $html = $this->withHtml($pageView); $html->assertElementNotContains('.page-content', 'alert'); $html->assertElementNotContains('.page-content', 'xlink:href'); $html->assertElementNotContains('.page-content', 'application/xml'); $html->assertElementNotContains('.page-content', 'javascript'); } } public function test_page_inline_on_attributes_show_if_configured() { $this->asEditor(); $page = $this->entities->page(); config()->set('app.allow_content_scripts', 'true'); $script = '

Hello

'; $page->html = "escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertSee($script, false); $pageView->assertDontSee('

Hello

', false); } public function test_duplicate_ids_does_not_break_page_render() { $this->asEditor(); $pageA = Page::query()->first(); $pageB = Page::query()->where('id', '!=', $pageA->id)->first(); $content = ' '; $pageA->html = $content; $pageA->save(); $pageB->html = '

{{@' . $pageA->id . '#test}}

'; $pageB->save(); $pageView = $this->get($pageB->getUrl()); $pageView->assertSuccessful(); } public function test_duplicate_ids_fixed_on_page_save() { $this->asEditor(); $page = $this->entities->page(); $content = ''; $pageSave = $this->put($page->getUrl(), [ 'name' => $page->name, 'html' => $content, 'summary' => '', ]); $pageSave->assertRedirect(); $updatedPage = Page::query()->where('id', '=', $page->id)->first(); $this->assertEquals(substr_count($updatedPage->html, 'bkmrk-test"'), 1); } public function test_anchors_referencing_non_bkmrk_ids_rewritten_after_save() { $this->asEditor(); $page = $this->entities->page(); $content = '

test

link

'; $this->put($page->getUrl(), [ 'name' => $page->name, 'html' => $content, 'summary' => '', ]); $updatedPage = Page::query()->where('id', '=', $page->id)->first(); $this->assertStringContainsString('id="bkmrk-test"', $updatedPage->html); $this->assertStringContainsString('href="#bkmrk-test"', $updatedPage->html); } public function test_get_page_nav_sets_correct_properties() { $content = '

Hello

There

Donkey

'; $pageContent = new PageContent(new Page(['html' => $content])); $navMap = $pageContent->getNavigation($content); $this->assertCount(3, $navMap); $this->assertArrayMapIncludes([ 'nodeName' => 'h1', 'link' => '#testa', 'text' => 'Hello', 'level' => 1, ], $navMap[0]); $this->assertArrayMapIncludes([ 'nodeName' => 'h2', 'link' => '#testb', 'text' => 'There', 'level' => 2, ], $navMap[1]); $this->assertArrayMapIncludes([ 'nodeName' => 'h3', 'link' => '#testc', 'text' => 'Donkey', 'level' => 3, ], $navMap[2]); } public function test_get_page_nav_does_not_show_empty_titles() { $content = '

Hello

 

'; $pageContent = new PageContent(new Page(['html' => $content])); $navMap = $pageContent->getNavigation($content); $this->assertCount(1, $navMap); $this->assertArrayMapIncludes([ 'nodeName' => 'h1', 'link' => '#testa', 'text' => 'Hello', ], $navMap[0]); } public function test_get_page_nav_shifts_headers_if_only_smaller_ones_are_used() { $content = '

Hello

There
Donkey
'; $pageContent = new PageContent(new Page(['html' => $content])); $navMap = $pageContent->getNavigation($content); $this->assertCount(3, $navMap); $this->assertArrayMapIncludes([ 'nodeName' => 'h4', 'level' => 1, ], $navMap[0]); $this->assertArrayMapIncludes([ 'nodeName' => 'h5', 'level' => 2, ], $navMap[1]); $this->assertArrayMapIncludes([ 'nodeName' => 'h6', 'level' => 3, ], $navMap[2]); } public function test_get_page_nav_respects_non_breaking_spaces() { $content = '

Hello There

'; $pageContent = new PageContent(new Page(['html' => $content])); $navMap = $pageContent->getNavigation($content); $this->assertEquals([ 'nodeName' => 'h1', 'link' => '#testa', 'text' => 'Hello There', 'level' => 1, ], $navMap[0]); } public function test_page_text_decodes_html_entities() { $page = $this->entities->page(); $this->actingAs($this->users->admin()) ->put($page->getUrl(''), [ 'name' => 'Testing', 'html' => '

"Hello & welcome"

', ]); $page->refresh(); $this->assertEquals('"Hello & welcome"', $page->text); } public function test_page_markdown_table_rendering() { $this->asEditor(); $page = $this->entities->page(); $content = '| Syntax | Description | | ----------- | ----------- | | Header | Title | | Paragraph | Text |'; $this->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => $content, 'html' => '', 'summary' => '', ]); $page->refresh(); $this->assertStringContainsString('', $page->html); $pageView = $this->get($page->getUrl()); $this->withHtml($pageView)->assertElementExists('.page-content table tbody td'); } public function test_page_markdown_task_list_rendering() { $this->asEditor(); $page = $this->entities->page(); $content = '- [ ] Item a - [x] Item b'; $this->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => $content, 'html' => '', 'summary' => '', ]); $page->refresh(); $this->assertStringContainsString('input', $page->html); $this->assertStringContainsString('type="checkbox"', $page->html); $pageView = $this->get($page->getUrl()); $this->withHtml($pageView)->assertElementExists('.page-content li.task-list-item input[type=checkbox]'); $this->withHtml($pageView)->assertElementExists('.page-content li.task-list-item input[type=checkbox][checked]'); } public function test_page_markdown_strikethrough_rendering() { $this->asEditor(); $page = $this->entities->page(); $content = '~~some crossed out text~~'; $this->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => $content, 'html' => '', 'summary' => '', ]); $page->refresh(); $this->assertStringMatchesFormat('%Asome crossed out text%A', $page->html); $pageView = $this->get($page->getUrl()); $this->withHtml($pageView)->assertElementExists('.page-content p > s'); } public function test_page_markdown_single_html_comment_saving() { $this->asEditor(); $page = $this->entities->page(); $content = ''; $this->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => $content, 'html' => '', 'summary' => '', ]); $page->refresh(); $this->assertStringMatchesFormat($content, $page->html); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertSee($content, false); } public function test_base64_images_get_extracted_from_page_content() { $this->asEditor(); $page = $this->entities->page(); $this->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'html' => '

test

', ]); $page->refresh(); $this->assertStringMatchesFormat('%Atest%A

%A', $page->html); $matches = []; preg_match('/src="http:\/\/localhost(.*?)"/', $page->html, $matches); $imagePath = $matches[1]; $imageFile = public_path($imagePath); $this->assertEquals(base64_decode($this->base64Jpeg), file_get_contents($imageFile)); $this->files->deleteAtRelativePath($imagePath); } public function test_base64_images_get_extracted_when_containing_whitespace() { $this->asEditor(); $page = $this->entities->page(); $base64PngWithWhitespace = "iVBORw0KGg\noAAAANSUhE\tUgAAAAEAAAA BCA YAAAAfFcSJAAA\n\t ACklEQVR4nGMAAQAABQAB"; $base64PngWithoutWhitespace = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQAB'; $this->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'html' => '

test

', ]); $page->refresh(); $this->assertStringMatchesFormat('%Atest%A

%A', $page->html); $matches = []; preg_match('/src="http:\/\/localhost(.*?)"/', $page->html, $matches); $imagePath = $matches[1]; $imageFile = public_path($imagePath); $this->assertEquals(base64_decode($base64PngWithoutWhitespace), file_get_contents($imageFile)); $this->files->deleteAtRelativePath($imagePath); } public function test_base64_images_within_html_blanked_if_not_supported_extension_for_extract() { // Relevant to https://github.com/BookStackApp/BookStack/issues/3010 and other cases $extensions = [ 'jiff', 'pngr', 'png ', ' png', '.png', 'png.', 'p.ng', ',png', 'data:image/png', ',data:image/png', ]; foreach ($extensions as $extension) { $this->asEditor(); $page = $this->entities->page(); $this->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'html' => '

test

', ]); $page->refresh(); $this->assertStringContainsString('html); } } public function test_base64_images_within_html_blanked_if_no_image_create_permission() { $editor = $this->users->editor(); $page = $this->entities->page(); $this->permissions->removeUserRolePermissions($editor, ['image-create-all']); $this->actingAs($editor)->put($page->getUrl(), [ 'name' => $page->name, 'html' => '

test

', ]); $page->refresh(); $this->assertStringMatchesFormat('%Atest%A

%A', $page->html); } public function test_base64_images_within_html_blanked_if_content_does_not_appear_like_an_image() { $page = $this->entities->page(); $imgContent = base64_encode('file://test/a/b/c'); $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'html' => '

test

', ]); $page->refresh(); $this->assertStringMatchesFormat('%Atest%A

%A', $page->html); } public function test_base64_images_get_extracted_from_markdown_page_content() { $this->asEditor(); $page = $this->entities->page(); $this->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'markdown' => 'test ![test](data:image/jpeg;base64,' . $this->base64Jpeg . ')', ]); $page->refresh(); $this->assertStringMatchesFormat('%Atest test%A

%A', $page->html); $matches = []; preg_match('/src="http:\/\/localhost(.*?)"/', $page->html, $matches); $imagePath = $matches[1]; $imageFile = public_path($imagePath); $this->assertEquals(base64_decode($this->base64Jpeg), file_get_contents($imageFile)); $this->files->deleteAtRelativePath($imagePath); } public function test_markdown_base64_extract_not_limited_by_pcre_limits() { $pcreBacktrackLimit = ini_get('pcre.backtrack_limit'); $pcreRecursionLimit = ini_get('pcre.recursion_limit'); $this->asEditor(); $page = $this->entities->page(); ini_set('pcre.backtrack_limit', '500'); ini_set('pcre.recursion_limit', '500'); $content = str_repeat(base64_decode($this->base64Jpeg), 50); $base64Content = base64_encode($content); $this->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'markdown' => 'test ![test](data:image/jpeg;base64,' . $base64Content . ') ![test](data:image/jpeg;base64,' . $base64Content . ')', ]); $page->refresh(); $this->assertStringMatchesFormat('test test test%A

%A', $page->html); $matches = []; preg_match('/src="http:\/\/localhost(.*?)"/', $page->html, $matches); $imagePath = $matches[1]; $imageFile = public_path($imagePath); $this->assertEquals($content, file_get_contents($imageFile)); $this->files->deleteAtRelativePath($imagePath); ini_set('pcre.backtrack_limit', $pcreBacktrackLimit); ini_set('pcre.recursion_limit', $pcreRecursionLimit); } public function test_base64_images_within_markdown_blanked_if_not_supported_extension_for_extract() { $page = $this->entities->page(); $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'summary' => '', 'markdown' => 'test ![test](data:image/jiff;base64,' . $this->base64Jpeg . ')', ]); $this->assertStringContainsString('refresh()->html); } public function test_base64_images_within_markdown_blanked_if_no_image_create_permission() { $editor = $this->users->editor(); $page = $this->entities->page(); $this->permissions->removeUserRolePermissions($editor, ['image-create-all']); $this->actingAs($editor)->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => 'test ![test](data:image/jpeg;base64,' . $this->base64Jpeg . ')', ]); $this->assertStringContainsString('refresh()->html); } public function test_base64_images_within_markdown_blanked_if_content_does_not_appear_like_an_image() { $page = $this->entities->page(); $imgContent = base64_encode('file://test/a/b/c'); $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'markdown' => 'test ![test](data:image/jpeg;base64,' . $imgContent . ')', ]); $page->refresh(); $this->assertStringContainsString('refresh()->html); } public function test_nested_headers_gets_assigned_an_id() { $page = $this->entities->page(); $content = '
Simple Test
'; $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'html' => $content, ]); // The top level node will get assign the bkmrk-simple-test id because the system will // take the node value of h5 // So the h5 should get the bkmrk-simple-test-1 id $this->assertStringContainsString('
Simple Test
', $page->refresh()->html); } public function test_non_breaking_spaces_are_preserved() { $page = $this->entities->page(); $content = '

 

'; $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'html' => $content, ]); $this->assertStringContainsString('

 

', $page->refresh()->html); } public function test_page_save_with_many_headers_and_links_is_reasonable() { $page = $this->entities->page(); $content = ''; for ($i = 0; $i < 500; $i++) { $content .= "
Simple Test
"; } $time = time(); $this->asEditor()->put($page->getUrl(), [ 'name' => $page->name, 'html' => $content, ])->assertRedirect(); $timeElapsed = time() - $time; $this->assertLessThan(3, $timeElapsed); } }