github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-05-26 08:39:58 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Added togglable script escaping to page content

Browse Source 
Configurable via 'ALLOW_CONTENT_SCRIPTS' env variable.
Fixes #575
This commit is contained in:
Dan Brown
2018-03-17 15:51:40 +00:00
parent 0a1546daea
commit 1ad6fe1cbd
3 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
tests/Entity/PageContentTest.php
View File

@ -112,4 +112,31 @@ class PageContentTest extends TestCase
$pageView->assertSee('def456');
}
public function test_page_content_scripts_escaped_by_default()
{
$this->asEditor();
$page = Page::first();
$script = '<script>console.log("hello-test")</script>';
$page->html = "escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertDontSee($script);
$pageView->assertSee(htmlentities($script));
}
public function test_page_content_scripts_show_when_configured()
{
$this->asEditor();
$page = Page::first();
config()->push('app.allow_content_scripts', 'true');
$script = '<script>console.log("hello-test")</script>';
$page->html = "no escape {$script}";
$page->save();
$pageView = $this->get($page->getUrl());
$pageView->assertSee($script);
$pageView->assertDontSee(htmlentities($script));
}
}