create PM v0.5
This commit is contained in:
parent
9b47296cea
commit
d2ba22c0cf
25 changed files with 2155 additions and 72 deletions
125
tests/Feature/PressReleaseHtmlSanitizerTest.php
Normal file
125
tests/Feature/PressReleaseHtmlSanitizerTest.php
Normal file
|
|
@ -0,0 +1,125 @@
|
|||
<?php
|
||||
|
||||
use App\Models\PressRelease;
|
||||
use App\Services\PressRelease\PressReleaseHtmlSanitizer;
|
||||
|
||||
function sanitizer(): PressReleaseHtmlSanitizer
|
||||
{
|
||||
return app(PressReleaseHtmlSanitizer::class);
|
||||
}
|
||||
|
||||
test('clean strips script and style tags', function () {
|
||||
$dirty = '<p>Hallo</p><script>alert("xss")</script><style>body{}</style>';
|
||||
|
||||
$clean = sanitizer()->clean($dirty);
|
||||
|
||||
expect($clean)->toContain('<p>Hallo</p>');
|
||||
expect($clean)->not->toContain('<script');
|
||||
expect($clean)->not->toContain('alert');
|
||||
expect($clean)->not->toContain('<style');
|
||||
});
|
||||
|
||||
test('clean strips iframes and event handlers', function () {
|
||||
$dirty = '<p onclick="bad()">Hallo</p><iframe src="https://evil.test"></iframe>';
|
||||
|
||||
$clean = sanitizer()->clean($dirty);
|
||||
|
||||
expect($clean)->not->toContain('onclick');
|
||||
expect($clean)->not->toContain('<iframe');
|
||||
});
|
||||
|
||||
test('clean keeps allowed tags in press release allowlist', function () {
|
||||
$dirty = '<h2>Headline</h2><p>Absatz mit <strong>fett</strong> und <em>kursiv</em>.</p>'
|
||||
.'<ul><li>Punkt A</li><li>Punkt B</li></ul>'
|
||||
.'<blockquote>Zitat</blockquote>'
|
||||
.'<a href="https://example.test">Link</a>';
|
||||
|
||||
$clean = sanitizer()->clean($dirty);
|
||||
|
||||
expect($clean)->toContain('<h2>Headline</h2>');
|
||||
expect($clean)->toContain('<strong>fett</strong>');
|
||||
expect($clean)->toContain('<em>kursiv</em>');
|
||||
expect($clean)->toContain('<ul>');
|
||||
expect($clean)->toContain('<li>Punkt A</li>');
|
||||
expect($clean)->toContain('<blockquote>');
|
||||
expect($clean)->toContain('href="https://example.test"');
|
||||
});
|
||||
|
||||
test('clean removes disallowed tags like h1 table img', function () {
|
||||
$dirty = '<h1>Big</h1><table><tr><td>x</td></tr></table><img src="x.jpg">';
|
||||
|
||||
$clean = sanitizer()->clean($dirty);
|
||||
|
||||
expect($clean)->not->toContain('<h1');
|
||||
expect($clean)->not->toContain('<table');
|
||||
expect($clean)->not->toContain('<img');
|
||||
});
|
||||
|
||||
test('external links get rel nofollow and target blank', function () {
|
||||
$dirty = '<p><a href="https://example.test">Link</a></p>';
|
||||
|
||||
$clean = sanitizer()->clean($dirty);
|
||||
|
||||
expect($clean)->toContain('rel=');
|
||||
expect($clean)->toContain('nofollow');
|
||||
expect($clean)->toContain('target="_blank"');
|
||||
});
|
||||
|
||||
test('clean returns empty string for null and whitespace input', function () {
|
||||
expect(sanitizer()->clean(null))->toBe('');
|
||||
expect(sanitizer()->clean(' '))->toBe('');
|
||||
});
|
||||
|
||||
test('isHtml detects html content', function () {
|
||||
expect(sanitizer()->isHtml('<p>Hi</p>'))->toBeTrue();
|
||||
expect(sanitizer()->isHtml('<strong>foo</strong>'))->toBeTrue();
|
||||
expect(sanitizer()->isHtml('Plain text only'))->toBeFalse();
|
||||
expect(sanitizer()->isHtml(''))->toBeFalse();
|
||||
expect(sanitizer()->isHtml(null))->toBeFalse();
|
||||
});
|
||||
|
||||
test('render wraps legacy plain text into paragraphs and br tags', function () {
|
||||
$plain = "Zeile eins\nZeile zwei\n\nNeuer Absatz";
|
||||
|
||||
$html = (string) sanitizer()->render($plain);
|
||||
|
||||
expect($html)->toContain('<p>');
|
||||
expect($html)->toContain('Zeile eins<br');
|
||||
expect($html)->toContain('Zeile zwei');
|
||||
expect($html)->toContain('Neuer Absatz');
|
||||
});
|
||||
|
||||
test('render escapes html-special chars in legacy plain text', function () {
|
||||
$plain = 'Skript: <script>alert(1)</script>';
|
||||
|
||||
$html = (string) sanitizer()->render($plain);
|
||||
|
||||
expect($html)->not->toContain('<script');
|
||||
expect($html)->toContain('<script');
|
||||
});
|
||||
|
||||
test('render returns sanitized html for stored html content', function () {
|
||||
$stored = '<p>Hallo</p><script>bad()</script>';
|
||||
|
||||
$html = (string) sanitizer()->render($stored);
|
||||
|
||||
expect($html)->toContain('<p>Hallo</p>');
|
||||
expect($html)->not->toContain('<script');
|
||||
});
|
||||
|
||||
test('plainTextLength counts chars without html noise', function () {
|
||||
expect(sanitizer()->plainTextLength('<p>Hallo Welt</p>'))->toBe(10);
|
||||
expect(sanitizer()->plainTextLength('<p>Eins</p> <p>Zwei</p>'))->toBe(9);
|
||||
expect(sanitizer()->plainTextLength(null))->toBe(0);
|
||||
});
|
||||
|
||||
test('PressRelease::renderedText uses the sanitizer', function () {
|
||||
$pr = PressRelease::factory()->create([
|
||||
'text' => '<p>Hallo</p><script>bad()</script>',
|
||||
]);
|
||||
|
||||
$rendered = (string) $pr->renderedText();
|
||||
|
||||
expect($rendered)->toContain('<p>Hallo</p>');
|
||||
expect($rendered)->not->toContain('<script');
|
||||
});
|
||||
Loading…
Add table
Add a link
Reference in a new issue