Some script
", "Some script
Some script
", "Some script
", "Some script
", "Some script
", ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); } } public function test_js_and_base64_src_urls_are_removed() { config()->set('app.content_filtering', 'j'); $checks = [ '', '', '', '', '', '', '', 'thisisacattofind
', 'thisisacattofind
', 'thisisacattofind
', 'thisisacattofind
', 'thisisacattofind
', 'thisisacattofind
', 'thisisacattofind
', <<<'TESTCASE' TESTCASE ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertSee('thisisacattofind'); $pageView->assertDontSee('thisdogshouldnotbefound'); } } public function test_form_attributes_are_removed() { config()->set('app.content_filtering', 'f'); $withinSvgSample = <<<'TESTCASE' TESTCASE; $checks = [ 'formaction' => 'thisisacattofind
', 'form' => 'thisisacattofind
', 'formmethod' => 'thisisacattofind
', 'formtarget' => 'thisisacattofind
', 'FORMTARGET' => 'thisisacattofind
', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $attribute => $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertSee('thisisacattofind'); $this->withHtml($pageView)->assertElementNotExists(".page-content [{$attribute}]"); } $page->html = $withinSvgSample; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $html = $this->withHtml($pageView); foreach ($checks as $attribute => $check) { $pageView->assertSee('thisisacattofind'); $html->assertElementNotExists(".page-content [{$attribute}]"); } } public function test_metadata_redirects_are_removed() { config()->set('app.content_filtering', 'h'); $checks = [ '', '', '', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); $this->withHtml($pageView)->assertElementNotContains('.page-content', ''); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'content='); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'external_url'); } } public function test_page_inline_on_attributes_removed_by_default() { config()->set('app.content_filtering', 'j'); $this->asEditor(); $page = $this->entities->page(); $script = 'Hello
'; $page->html = "escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $pageView->assertDontSee($script, false); $pageView->assertSee('Hello
', false); } public function test_more_complex_inline_on_attributes_escaping_scenarios() { config()->set('app.content_filtering', 'j'); $checks = [ 'Hello
', 'Hello
', 'Hello
', 'Hello
Hello
Hello
', 'xss link\', ]; $this->asEditor(); $page = $this->entities->page(); foreach ($checks as $check) { $page->html = $check; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertStatus(200); $this->withHtml($pageView)->assertElementNotContains('.page-content', 'onclick'); } } public function test_page_content_scripts_show_with_filters_disabled() { $this->asEditor(); $page = $this->entities->page(); config()->set('app.content_filtering', ''); $script = 'abc123abc123'; $page->html = "no escape {$script}"; $page->save(); $pageView = $this->get($page->getUrl()); $pageView->assertSee($script, false); $pageView->assertDontSee('abc123abc123'); } public function test_svg_script_usage_is_removed() { config()->set('app.content_filtering', 'j'); $checks = [ '', '', '', '', '', '