diff --git a/test/ParsedownTest.php b/test/ParsedownTest.php index 323dace86..5fbf7f167 100644 --- a/test/ParsedownTest.php +++ b/test/ParsedownTest.php @@ -46,6 +46,8 @@ function test_($test, $dir) $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r", "\n", $expectedMarkup); + $this->Parsedown->setMarkupEscaped($test === 'xss_text_encoding'); + $actualMarkup = $this->Parsedown->text($markdown); $this->assertEquals($expectedMarkup, $actualMarkup); diff --git a/test/data/xss_attribute_encoding.html b/test/data/xss_attribute_encoding.html new file mode 100644 index 000000000..287ff515f --- /dev/null +++ b/test/data/xss_attribute_encoding.html @@ -0,0 +1,6 @@ +
+ + + + + \ No newline at end of file diff --git a/test/data/xss_attribute_encoding.md b/test/data/xss_attribute_encoding.md new file mode 100644 index 000000000..3d8e0c86d --- /dev/null +++ b/test/data/xss_attribute_encoding.md @@ -0,0 +1,11 @@ +[xss](https://www.example.com") + +![xss](https://www.example.com") + +[xss](https://www.example.com') + +![xss](https://www.example.com') + +![xss"](https://www.example.com) + +![xss'](https://www.example.com) \ No newline at end of file diff --git a/test/data/xss_bad_url.html b/test/data/xss_bad_url.html new file mode 100644 index 000000000..93dd0d8c8 --- /dev/null +++ b/test/data/xss_bad_url.html @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/test/data/xss_bad_url.md b/test/data/xss_bad_url.md new file mode 100644 index 000000000..a730952fb --- /dev/null +++ b/test/data/xss_bad_url.md @@ -0,0 +1,31 @@ +[xss](javascript:alert(1)) + +[xss]( javascript:alert(1)) + +[xss](javascript://alert(1)) + +[xss](javascript:alert(1)) + +![xss](javascript:alert(1)) + +![xss]( javascript:alert(1)) + +![xss](javascript://alert(1)) + +![xss](javascript:alert(1)) + +[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) \ No newline at end of file diff --git a/test/data/xss_text_encoding.html b/test/data/xss_text_encoding.html new file mode 100644 index 000000000..e6b3fc59b --- /dev/null +++ b/test/data/xss_text_encoding.html @@ -0,0 +1,7 @@ +<script>alert(1)</script>
+<script>
+alert(1)
+</script>
+<script> +alert(1) +</script>
\ No newline at end of file diff --git a/test/data/xss_text_encoding.md b/test/data/xss_text_encoding.md new file mode 100644 index 000000000..b1051a224 --- /dev/null +++ b/test/data/xss_text_encoding.md @@ -0,0 +1,12 @@ + + + + + + \ No newline at end of file