From 7652022e24d13df9e097de13c9832dfc40d4079e Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Sun, 17 Mar 2019 09:35:39 +1100
Subject: [PATCH] Add in tests of purifying HTML output

Fix up test to work with earlier html purfier
---
 CRM/Utils/String.php                   |  1 +
 tests/phpunit/CRM/Utils/StringTest.php | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/CRM/Utils/String.php b/CRM/Utils/String.php
index 8099f23180..66f8931f29 100644
--- a/CRM/Utils/String.php
+++ b/CRM/Utils/String.php
@@ -642,6 +642,7 @@ class CRM_Utils_String {
     if (!$_filter) {
       $config = HTMLPurifier_Config::createDefault();
       $config->set('Core.Encoding', 'UTF-8');
+      $config->set('Attr.AllowedFrameTargets', ['_blank', '_self', '_parent', '_top']);
 
       // Disable the cache entirely
       $config->set('Cache.DefinitionImpl', NULL);
diff --git a/tests/phpunit/CRM/Utils/StringTest.php b/tests/phpunit/CRM/Utils/StringTest.php
index 0f273e2281..0b94f57981 100644
--- a/tests/phpunit/CRM/Utils/StringTest.php
+++ b/tests/phpunit/CRM/Utils/StringTest.php
@@ -353,4 +353,21 @@ class CRM_Utils_StringTest extends CiviUnitTestCase {
     );
   }
 
+  public function purifyHTMLProvider() {
+    $tests = [];
+    $tests[] = ['<span onmouseover=alert(0)>HOVER</span>', '<span>HOVER</span>'];
+    $tests[] = ['<a href="https://civicrm.org" target="_blank" class="button-purple">hello</a>', '<a href="https://civicrm.org" target="_blank" class="button-purple">hello</a>'];
+    return $tests;
+  }
+
+  /**
+   * Test ouput of purifyHTML
+   * @param string $testString
+   * @param string $expectedString
+   * @dataProvider purifyHTMLProvider
+   */
+  public function testPurifyHTML($testString, $expectedString) {
+    $this->assertEquals($expectedString, CRM_Utils_String::purifyHTML($testString));
+  }
+
 }
-- 
2.25.1