archtechx/laravel-seo
1
0
Fork 0
mirror of https://github.com/archtechx/laravel-seo.git synced 2025-12-12 09:54:03 +00:00
Code Activity

Fix sanitization issues when rendering Blade, add regression tests

Browse source
This commit is contained in:
Samuel Štancl 2023-05-31 18:56:33 +02:00
parent 567a7b09ef
commit f6d85e3dfe
6 changed files with 104 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

84
tests/Pest/SanitizationTest.php Normal file
View file

@ -0,0 +1,84 @@
<?php
test('opengraph methods properly sanitize input', function (string $method, string $property) {
$unsanitizedContent = 'Testing string " with several \' XSS characters </title> " . \' .';
seo()->{$method}($unsanitizedContent);
$meta = meta();
$sanitizedContent = e($unsanitizedContent);
// These assertions are equivalent, but included for clarity
expect($meta)->not()->toContain('content="Testing string " with several \' XSS characters </title> " . \' ."');
expect($meta)->not()->toContain("content=\"{$unsanitizedContent}\"");
expect($meta)->toContain("<meta property=\"$property\" content=\"{$sanitizedContent}\" />");
expect($meta)->toContain("<meta property=\"$property\" content=\"Testing string &quot; with several &#039; XSS characters &lt;/title&gt; &quot; . &#039; .\" />");
})->with([
['site', 'og:site_name'],
['url', 'og:url'],
['image', 'og:image'],
['type', 'og:type'],
['locale', 'og:locale'],
]);
// The Twitter integration is tested separately as it uses `meta name=""` instead of `meta property=""`
test('the twitter extension properly sanitizes input', function (string $method, $property) {
$unsanitizedContent = 'Testing string " with several \' XSS characters </title> " . \' .';
seo()->{$method}($unsanitizedContent);
$meta = meta();
$sanitizedContent = e($unsanitizedContent);
// These assertions are equivalent, but included for clarity
expect($meta)->not()->toContain('content="Testing string " with several \' XSS characters </title> " . \' ."');
expect($meta)->not()->toContain("content=\"{$unsanitizedContent}\"");
expect($meta)->toContain("<meta name=\"$property\" content=\"{$sanitizedContent}\" />");
expect($meta)->toContain("<meta name=\"$property\" content=\"Testing string &quot; with several &#039; XSS characters &lt;/title&gt; &quot; . &#039; .\" />");
})->with([
['twitterCreator', 'twitter:creator'],
['twitterSite', 'twitter:site'],
['twitterTitle', 'twitter:title'],
['twitterDescription', 'twitter:description'],
['twitterImage', 'twitter:image'],
]);
// This method is tested separately as it adds an extra (<title>) tag
test('the title method properly sanitizes both tags', function () {
$unsanitizedContent = 'Testing string " with several \' XSS characters </title> " . \' .';
seo()->title($unsanitizedContent);
$meta = meta();
$sanitizedContent = e($unsanitizedContent);
// These assertions are equivalent, but included for clarity
expect($meta)->not()->toContain('meta property="og:title" content="Testing string " with several \' XSS characters </title> " . \' ."');
expect($meta)->not()->toContain('<title>Testing string " with several \' XSS characters </title> " . \' ."</title>');
expect($meta)->not()->toContain("meta property=\"og:title\" content=\"{$unsanitizedContent}\"");
expect($meta)->not()->toContain("<title>{$unsanitizedContent}</title>");
expect($meta)->toContain("<title>{$sanitizedContent}</title>");
expect($meta)->toContain("<title>Testing string &quot; with several &#039; XSS characters &lt;/title&gt; &quot; . &#039; .</title>");
expect($meta)->toContain("<meta property=\"og:title\" content=\"{$sanitizedContent}\" />");
expect($meta)->toContain("<meta property=\"og:title\" content=\"Testing string &quot; with several &#039; XSS characters &lt;/title&gt; &quot; . &#039; .\" />");
});
test('seo blade directive calls are sanitized', function () {
seo(['image' => $string = 'Testing string " with several \' XSS characters </title> " . \' .']);
$escaped = e($string);
// Using @seo() to get a value
expect(blade('<img src="@seo(\'image\')">'))
->toBe("<img src=\"{$escaped}\">")
->not()->toBe('<img src="Testing string " with several \' XSS characters </title> " . \' ."');
// Using @seo() to set a value
expect(blade("@seo('description', 'abc \' def &')"))->toBe('abc &#039; def &amp;');
});