Skip to content

Commit 8fcb0e6

Browse files
ssddanbrownssddanbrown
committed
Merge branch 'v0.26'
2 parents 9444183 + c732970 commit 8fcb0e6

2 files changed

Lines changed: 50 additions & 2 deletions

File tree

app/Entities/Repos/EntityRepo.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -760,13 +760,13 @@ protected function escapeScripts(string $html) : string
760760
$xPath = new DOMXPath($doc);
761761

762762
// Remove standard script tags
763-
$scriptElems = $xPath->query('//body//*//script');
763+
$scriptElems = $xPath->query('//script');
764764
foreach ($scriptElems as $scriptElem) {
765765
$scriptElem->parentNode->removeChild($scriptElem);
766766
}
767767

768768
// Remove 'on*' attributes
769-
$onAttributes = $xPath->query('//body//*/@*[starts-with(name(), \'on\')]');
769+
$onAttributes = $xPath->query('//@*[starts-with(name(), \'on\')]');
770770
foreach ($onAttributes as $attr) {
771771
/** @var \DOMAttr $attr*/
772772
$attrName = $attr->nodeName;

tests/Entity/PageContentTest.php

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,31 @@ public function test_page_content_scripts_removed_by_default()
8484
$pageView->assertSee('abc123abc123');
8585
}
8686

87+
public function test_more_complex_content_script_escaping_scenarios()
88+
{
89+
$checks = [
90+
"<p>Some script</p><script>alert('cat')</script>",
91+
"<div><div><div><div><p>Some script</p><script>alert('cat')</script></div></div></div></div>",
92+
"<p>Some script<script>alert('cat')</script></p>",
93+
"<p>Some script <div><script>alert('cat')</script></div></p>",
94+
"<p>Some script <script><div>alert('cat')</script></div></p>",
95+
"<p>Some script <script><div>alert('cat')</script><script><div>alert('cat')</script></p><script><div>alert('cat')</script>",
96+
];
97+
98+
$this->asEditor();
99+
$page = Page::first();
100+
101+
foreach ($checks as $check) {
102+
$page->html = $check;
103+
$page->save();
104+
105+
$pageView = $this->get($page->getUrl());
106+
$pageView->assertElementNotContains('.page-content', '<script>');
107+
$pageView->assertElementNotContains('.page-content', '</script>');
108+
}
109+
110+
}
111+
87112
public function test_page_inline_on_attributes_removed_by_default()
88113
{
89114
$this->asEditor();
@@ -97,6 +122,29 @@ public function test_page_inline_on_attributes_removed_by_default()
97122
$pageView->assertSee('<p>Hello</p>');
98123
}
99124

125+
public function test_more_complex_inline_on_attributes_escaping_scenarios()
126+
{
127+
$checks = [
128+
'<p onclick="console.log(\'test\')">Hello</p>',
129+
'<div>Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p>',
130+
'<div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div>',
131+
'<div><div><div><div>Lorem ipsum dolor sit amet.<p onclick="console.log(\'test\')">Hello</p></div></div></div></div>',
132+
'<div onclick="console.log(\'test\')">Lorem ipsum dolor sit amet.</div><p onclick="console.log(\'test\')">Hello</p><div></div>',
133+
];
134+
135+
$this->asEditor();
136+
$page = Page::first();
137+
138+
foreach ($checks as $check) {
139+
$page->html = $check;
140+
$page->save();
141+
142+
$pageView = $this->get($page->getUrl());
143+
$pageView->assertElementNotContains('.page-content', 'onclick');
144+
}
145+
146+
}
147+
100148
public function test_page_content_scripts_show_when_configured()
101149
{
102150
$this->asEditor();

0 commit comments

Comments
 (0)