From 8c11758496f9d9e365d818ad791e737134d395b0 Mon Sep 17 00:00:00 2001
From: Christopher Broderick <uhurusurfa@gmail.com>
Date: Fri, 16 May 2025 20:10:50 +0100
Subject: [PATCH] Add tests for imp[roved markdown link cleaning

---
 helpdesk/tests/test_markdown.py | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/helpdesk/tests/test_markdown.py b/helpdesk/tests/test_markdown.py
index e3a860ab..6c11864c 100644
--- a/helpdesk/tests/test_markdown.py
+++ b/helpdesk/tests/test_markdown.py
@@ -31,14 +31,32 @@ class MarkDown(SimpleTestCase):
         output_value = get_markdown(input_value)
         self.assertEqual(output_value, expected_value)
 
-    def test_markdown_link_correct_protokol(self):
+    def test_markdown_link_correct_protocol(self):
         expected_value = '<p><a href="http://www.yahoo.ru">www.google.com</a></p>'
         input_value = "[www.google.com](http://www.yahoo.ru)"
         output_value = get_markdown(input_value)
         self.assertEqual(output_value, expected_value)
 
-    def test_markdown_link_not_correct_protokol(self):
+    def test_markdown_link_not_correct_protocol(self):
         expected_value = '<p><a href="//www.yahoo.ru">www.google.com</a></p>'
         input_value = "[www.google.com](aaaa://www.yahoo.ru)"
         output_value = get_markdown(input_value)
         self.assertEqual(output_value, expected_value)
+
+    def test_multiline_markdown_link_with_correct_and_incorrect_protocol(self):
+        expected_value = '<p>This<a href="http://alert.javascript.test">XSS</a></p>\n<p>Line 2: <a href="alert(document.domain);">TEST</a></p>'
+        input_value = "This[XSS](http://alert.javascript.test)\n\nLine 2: [TEST](javascript:alert(document.domain);)"
+        output_value = get_markdown(input_value)
+        self.assertEqual(output_value, expected_value)
+
+    def test_multiline_markdown_link_with_correct_and_incorrect_protocol_twice_declared(self):
+        expected_value = '<p>This<a href="http://alert.javascript.test">XSS</a></p>\n<p>FAKE IT TILL YOU MAKE IT: <a href="alert(document.domain);">TEST</a></p>'
+        input_value = "This[XSS](http://alert.javascript.test)\n\nFAKE IT TILL YOU MAKE IT: [TEST](javascript:javascript:alert(document.domain);)"
+        output_value = get_markdown(input_value)
+        self.assertEqual(output_value, expected_value)
+        
+    def test_markdown_link_with__multiple_incorrect_protocols(self):
+        expected_value = '<p>First one:<a href="alert(document.domain);">XSS1</a> ...try again: <a href="alert(document.domain);">XSS2</a></p>'
+        input_value = "First one:[XSS1](javascript:alert(document.domain);) ...try again: [XSS2](javascript:javascript:alert(document.domain);)"
+        output_value = get_markdown(input_value)
+        self.assertEqual(output_value, expected_value)