t/04context.t @@ -9,6 +9,7 @@ Makefile.old META.yml pm_to_blib t/var/mojomojo.db +t/var/mojomojo.yml t/var/upload mojomojos.kpf MojoMojo-* .gitignore @@ -114,9 +114,9 @@ sub defang_attribs_callback { # Allow src URI's from configuration. my @allowed_src_regex; - # Tests may not have a $c if ( defined $c ) { + if ( exists $c->stash->{allowed_src_regexes} ) { @allowed_src_regex = @{ $c->stash->{allowed_src_regexes} }; } @@ -131,7 +131,10 @@ sub defang_attribs_callback { } } for my $allowed_src_regex (@allowed_src_regex) { - return 0 if $$attr_val_r =~ $allowed_src_regex; + if ( $$attr_val_r =~ $allowed_src_regex ) { + return 0; + } + } # When $c and src uri authority are defined we want to make sure @@ -145,9 +148,17 @@ sub defang_attribs_callback { return 1; } } - else { + # We have an authority but no context. + # Probably means we're testing with just the Defang formatter + # instead of the Full formatter chain. + # We will defang any src's left with an authority (defang_src) + # since the approved ones were already allowed in above. + elsif ( defined $src_uri_object->authority ) { return 1; } + else { + return 2; + } } return 0; lib/MojoMojo/Formatter/Defang.pm @@ -1,7 +1,10 @@ #!/usr/bin/perl -w -use Test::More tests => 26; +use Test::More tests => 27; use HTTP::Request::Common; use Test::Differences; +use FindBin '$Bin'; +use lib "$Bin/../lib"; +use Data::Dumper; my $original_formatter ; # used to save/restore whatever formatter is set up in mojomojo.db @@ -23,6 +26,7 @@ END { } ( undef, $c ) = ctx_request('/'); +#warn Dumper $c->config; ok( $original_formatter = $c->pref('main_formatter'), 'save original formatter' ); @@ -432,4 +436,12 @@ HTML $expected = '<p><img defang_src="//malicious.com/foto.jpg" /></p> '; $got = get( POST '/.jsrpc/render', [ content => $content ] ); -eq_or_diff( $got, $expected, $test ); \ No newline at end of file +eq_or_diff( $got, $expected, $test ); + +$test = 'remote img src allowed in .conf'; +$content = <<'HTML'; +<p><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/P_hTFilWY9w&amp;hl=en"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/P_hTFilWY9w&amp;hl=en" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object></p> +HTML +$expected = $content; +$got = get( POST '/.jsrpc/render', [ content => $content ] ); +is( $got, $expected, $test ); t/formatter_all_textile.t @@ -1,7 +1,7 @@ #!/usr/bin/perl -w use strict; use MojoMojo::Formatter::Defang; -use Test::More tests => 5; +use Test::More tests => 6; use Test::Differences; my ( $content, $got, $expected, $test ); @@ -55,3 +55,11 @@ $content = '<img src="http://far.away.com/imatge.jpg" />'; $expected = '<img defang_src="http://far.away.com/imatge.jpg" />'; MojoMojo::Formatter::Defang->format_content( \$content ); eq_or_diff( $content, $expected, $test ); + +$test = 'img src local tag'; +$content = <<'HTML'; +<img src="/.static/catalyst.png" alt="Powered by Catalyst" title="Powered by Catalyst" /> +HTML +$expected = $content; +MojoMojo::Formatter::Defang->format_content( \$content ); +eq_or_diff( $content, $expected, $test ); t/formatter_defang.t @@ -55,7 +55,7 @@ sub init_schema { unlink($db_file) if -e $db_file; mkdir($db_dir) unless -d $db_dir; - + my $dsn = $ENV{"MOJOMOJO_TEST_SCHEMA_DSN"} || "dbi:SQLite:${db_file}"; my $dbuser = $ENV{"MOJOMOJO_TEST_SCHEMA_DBUSER"} || ''; my $dbpass = $ENV{"MOJOMOJO_TEST_SCHEMA_DBPASS"} || ''; @@ -88,6 +88,9 @@ sub init_schema { } } }, + 'allowed' => { + src => [qw(youtube.com youporn.org iusethis.com)] , + }, 'View::Email' => { sender => { mailer => 'Test' } }, }; YAML::DumpFile('t/var/mojomojo.yml',$config); t/lib/MojoMojoTestSchema.pm t/var/mojomojo.yml 2920df1f7aa4ebb75b8f08a63de42b609d982aa2 mateu x hunter hunter@missoula.org http://github.com/marcusramberg/mojomojo/commit/48b05e51fb81f699dd3a36731da7ebffb5f88aab 48b05e51fb81f699dd3a36731da7ebffb5f88aab 2009-06-01T16:08:26-07:00 2009-06-01T16:08:26-07:00 Ease back throttle on defang src. Test that /.static/* src are not defanged. remove t/var/mojomojo.yml since it's created by MojoMojoTestSchema and 01app.t. Thank rafl for pointing it out. 06770cb541077d60eda65d5c6c589007ea1c871a mateu x hunter hunter@missoula.org