From 43d82a4327dcf2cd68d02a97cec041bdcd8dbe28 Mon Sep 17 00:00:00 2001
From: Caen De Silva <caen@desilva.se>
Date: Mon, 2 Dec 2024 12:07:31 +0100
Subject: [PATCH] Test escaping

---
 .../Feature/MarkdownHeadingRendererTest.php   | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/packages/framework/tests/Feature/MarkdownHeadingRendererTest.php b/packages/framework/tests/Feature/MarkdownHeadingRendererTest.php
index 67bb0b3307f..b2d9e70e77f 100644
--- a/packages/framework/tests/Feature/MarkdownHeadingRendererTest.php
+++ b/packages/framework/tests/Feature/MarkdownHeadingRendererTest.php
@@ -192,6 +192,41 @@ public function testHeadingsWithSpecialCharacters()
         HTML, $html);
     }
 
+    public function testHeadingsAllowMarkdownStyling()
+    {
+        $markdown = <<<'MARKDOWN'
+        ## Heading with **Markdown** styling
+        MARKDOWN;
+
+        $html = (new MarkdownService($markdown, MarkdownPage::class))->parse();
+
+        $this->assertStringContainsString('Heading with <strong>Markdown</strong> styling', $html);
+
+        $this->assertSame(<<<'HTML'
+        <h2>Heading with <strong>Markdown</strong> styling</h2>
+
+        HTML, $html);
+    }
+
+    public function testHeadingsAllowBasicHtmlButEscapesDangerousInput()
+    {
+        $markdown = <<<'MARKDOWN'
+        ## Heading with <strong>HTML</strong>
+        ### Heading with <script>alert('XSS')</script>
+        MARKDOWN;
+
+        $html = (new MarkdownService($markdown, MarkdownPage::class))->parse();
+
+        $this->assertStringContainsString('Heading with <strong>HTML</strong>', $html);
+        $this->assertStringContainsString("Heading with &lt;script>alert('XSS')&lt;/script>", $html);
+
+        $this->assertSame(<<<'HTML'
+        <h2>Heading with <strong>HTML</strong></h2>
+        <h3>Heading with &lt;script>alert('XSS')&lt;/script></h3>
+
+        HTML, $html);
+    }
+
     public function testCustomPageClassConfiguration()
     {
         config(['markdown.permalinks.pages' => [MarkdownPage::class]]);