From 288def143cb8f594fd5c58d6a6dab07263a6c60e Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Tue, 7 Nov 2017 10:34:11 +0100
Subject: [ticket/15442] Allow unsafe HTML in bbcode.html

PHPBB3-15442
---
 tests/text_formatter/s9e/factory_test.php          | 16 +++++++++
 .../fixtures/styles/unsafe/template/bbcode.html    | 40 ++++++++++++++++++++++
 .../s9e/fixtures/unsafe_default_bbcodes.xml        | 24 +++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
 create mode 100644 tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml

(limited to 'tests/text_formatter')

diff --git a/tests/text_formatter/s9e/factory_test.php b/tests/text_formatter/s9e/factory_test.php
index fd9b4e4c09..d35330a975 100644
--- a/tests/text_formatter/s9e/factory_test.php
+++ b/tests/text_formatter/s9e/factory_test.php
@@ -247,6 +247,22 @@ class phpbb_textformatter_s9e_factory_test extends phpbb_database_test_case
 		$this->assertSame($expected, $renderer->render($parser->parse($original)));
 	}
 
+	/**
+	* @testdox Accepts unsafe default BBCodes
+	*/
+	public function test_unsafe_default_bbcodes()
+	{
+		$fixture   = __DIR__ . '/fixtures/unsafe_default_bbcodes.xml';
+		$style_dir = __DIR__ . '/fixtures/styles/';
+		$container = $this->get_test_case_helpers()->set_s9e_services(null, $fixture, $style_dir);
+		$parser    = $container->get('text_formatter.parser');
+		$renderer  = $container->get('text_formatter.renderer');
+
+		$original = '[b]alert(1)[/b]';
+		$expected = '<script>alert(1)</script>';
+		$this->assertSame($expected, $renderer->render($parser->parse($original)));
+	}
+
 	/**
 	* @testdox get_configurator() triggers events before and after configuration
 	*/
diff --git a/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html b/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
new file mode 100644
index 0000000000..f3932f9b78
--- /dev/null
+++ b/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
@@ -0,0 +1,40 @@
+<!-- BEGIN ulist_open --><ul style="list-style-type: {LIST_TYPE}"><!-- END ulist_open -->
+<!-- BEGIN ulist_open_default --><ul><!-- END ulist_open_default -->
+<!-- BEGIN ulist_close --></ul><!-- END ulist_close -->
+
+<!-- BEGIN olist_open --><ol style="list-style-type: {LIST_TYPE}"><!-- END olist_open -->
+<!-- BEGIN olist_close --></ol><!-- END olist_close -->
+
+<!-- BEGIN listitem --><li><!-- END listitem -->
+<!-- BEGIN listitem_close --></li><!-- END listitem_close -->
+
+<!-- BEGIN quote_username_open --><blockquote><div><cite>{USERNAME} {L_WROTE}{L_COLON}</cite><!-- END quote_username_open -->
+<!-- BEGIN quote_open --><blockquote class="uncited"><div><!-- END quote_open -->
+<!-- BEGIN quote_close --></div></blockquote><!-- END quote_close -->
+
+<!-- BEGIN code_open --><div class="codebox"><p>{L_CODE}{L_COLON} <a href="#" onclick="selectCode(this); return false;">{L_SELECT_ALL_CODE}</a></p><code><!-- END code_open -->
+<!-- BEGIN code_close --></code></div><!-- END code_close -->
+
+<!-- BEGIN inline_attachment_open --><div class="inline-attachment"><!-- END inline_attachment_open -->
+<!-- BEGIN inline_attachment_close --></div><!-- END inline_attachment_close -->
+
+<!-- BEGIN b_open --><script><!-- END b_open -->
+<!-- BEGIN b_close --></script><!-- END b_close -->
+
+<!-- BEGIN u_open --><span style="text-decoration: underline"><!-- END u_open -->
+<!-- BEGIN u_close --></span><!-- END u_close -->
+
+<!-- BEGIN i_open --><em><!-- END i_open -->
+<!-- BEGIN i_close --></em><!-- END i_close -->
+
+<!-- BEGIN color --><span style="color: {COLOR}">{TEXT}</span><!-- END color -->
+
+<!-- BEGIN size --><span style="font-size: {SIZE}%; line-height: 116%;">{TEXT}</span><!-- END size -->
+
+<!-- BEGIN img --><img src="{URL}" class="postimage" alt="{L_IMAGE}" /><!-- END img -->
+
+<!-- BEGIN url --><a href="{URL}" class="postlink">{DESCRIPTION}</a><!-- END url -->
+
+<!-- BEGIN email --><a href="mailto:{EMAIL}">{DESCRIPTION}</a><!-- END email -->
+
+<!-- BEGIN flash --><object classid="clsid:D27CDB6E-AE6D-11CF-96B8-444553540000" codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=5,0,0,0" width="{WIDTH}" height="{HEIGHT}"><param name="movie" value="{URL}" /><param name="play" value="false" /><param name="loop" value="false" /><param name="quality" value="high" /><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><embed src="{URL}" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" width="{WIDTH}" height="{HEIGHT}" play="false" loop="false" quality="high" allowscriptaccess="never" allownetworking="internal"></embed></object><!-- END flash -->
diff --git a/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml b/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
new file mode 100644
index 0000000000..06524a13cc
--- /dev/null
+++ b/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_styles">
+		<column>style_id</column>
+		<column>style_name</column>
+		<column>style_copyright</column>
+		<column>style_active</column>
+		<column>style_path</column>
+		<column>bbcode_bitfield</column>
+		<column>style_parent_id</column>
+		<column>style_parent_tree</column>
+
+		<row>
+			<value>1</value>
+			<value>unsafe</value>
+			<value></value>
+			<value>1</value>
+			<value>unsafe</value>
+			<value>QA==</value>
+			<value>0</value>
+			<value></value>
+		</row>
+	</table>
+</dataset>
-- 
cgit v1.2.1