Rationalize Sanitizer Tests

This commit is contained in:
Jacques Distler 2007-06-09 22:21:50 -05:00
parent a68d1aa8f3
commit 6b2ec7354b

View file

@ -12,140 +12,148 @@ class SanitizeTest < Test::Unit::TestCase
include HTML5lib include HTML5lib
def sanitize_xhtml stream def sanitize_xhtml stream
XHTMLParser.parseFragment(stream, {:tokenizer => HTMLSanitizer, :encoding => 'utf-8'}).join('').gsub(/'/,'"') XHTMLParser.parseFragment(stream, {:tokenizer => HTMLSanitizer, :encoding => 'utf-8'}).to_s
end end
def sanitize_html stream def sanitize_html stream
HTMLParser.parseFragment(stream, {:tokenizer => HTMLSanitizer, :encoding => 'utf-8'}).join('').gsub(/'/,'"') HTMLParser.parseFragment(stream, {:tokenizer => HTMLSanitizer, :encoding => 'utf-8'}).to_s
end end
def sanitize_rexml stream def sanitize_rexml stream
require 'rexml/document' require 'rexml/document'
doc = REXML::Document.new("<div xmlns=\"http://www.w3.org/1999/xhtml\">#{stream}</div>") doc = REXML::Document.new("<div xmlns='http://www.w3.org/1999/xhtml'>#{stream}</div>")
tokens = TreeWalkers.getTreeWalker('rexml').new(doc) tokens = TreeWalkers.getTreeWalker('rexml').new(doc)
HTMLSerializer.serialize(tokens, {:encoding=>'utf-8', HTMLSerializer.serialize(tokens, {:encoding=>'utf-8',
:quote_attr_values => true, :quote_attr_values => true,
:quote_char => "'",
:minimize_boolean_attributes => false, :minimize_boolean_attributes => false,
:use_trailing_solidus => true, :use_trailing_solidus => true,
:omit_optional_tags => false, :omit_optional_tags => false,
:inject_meta_charset => false, :inject_meta_charset => false,
:sanitize => true}).gsub(/^<div xmlns="http:\/\/www.w3.org\/1999\/xhtml">(.*)<\/div>$/, '\1') :sanitize => true}).gsub(/^<div xmlns='http:\/\/www.w3.org\/1999\/xhtml'>(.*)<\/div>$/, '\1')
rescue
return "Ill-formed XHTML!"
end
def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
assert_equal htmloutput, sanitize_html(input)
assert_equal xhtmloutput, sanitize_xhtml(input)
assert_equal rexmloutput, sanitize_rexml(input)
end end
HTMLSanitizer::ALLOWED_ELEMENTS.each do |tag_name| HTMLSanitizer::ALLOWED_ELEMENTS.each do |tag_name|
next if %w[caption col colgroup optgroup option table tbody td tfoot th thead tr].include?(tag_name) ### TODO next if %w[caption col colgroup optgroup option table tbody td tfoot th thead tr].include?(tag_name) ### TODO
define_method "test_should_allow_#{tag_name}_tag" do define_method "test_should_allow_#{tag_name}_tag" do
input = "<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>"
htmloutput = "<#{tag_name.downcase} title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name.downcase}>"
xhtmloutput = "<#{tag_name} title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name}>"
rexmloutput = xhtmloutput
if tag_name == 'image' if tag_name == 'image'
assert_equal "<img title=\"1\"/>foo &lt;bad&gt;bar&lt;/bad&gt; baz", htmloutput = "<img title='1'/>foo &lt;bad&gt;bar&lt;/bad&gt; baz"
sanitize_html("<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>") xhtmloutput = htmloutput
rexmloutput = "<image title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</image>"
elsif VOID_ELEMENTS.include?(tag_name) elsif VOID_ELEMENTS.include?(tag_name)
assert_equal "<#{tag_name} title=\"1\"/>foo &lt;bad&gt;bar&lt;/bad&gt; baz", htmloutput = "<#{tag_name} title='1'/>foo &lt;bad&gt;bar&lt;/bad&gt; baz"
sanitize_html("<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>") xhtmloutput = htmloutput
else rexmloutput = "<#{tag_name} title='1' />"
assert_equal "<#{tag_name.downcase} title=\"1\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name.downcase}>",
sanitize_html("<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>")
assert_equal "<#{tag_name} title=\"1\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name}>",
sanitize_xhtml("<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>")
assert_equal "<#{tag_name} title=\"1\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name}>",
sanitize_rexml("<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>")
end end
check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
end end
end end
HTMLSanitizer::ALLOWED_ELEMENTS.each do |tag_name| HTMLSanitizer::ALLOWED_ELEMENTS.each do |tag_name|
define_method "test_should_forbid_#{tag_name.upcase}_tag" do define_method "test_should_forbid_#{tag_name.upcase}_tag" do
assert_equal "&lt;#{tag_name.upcase} title=\"1\"&gt;foo &lt;bad&gt;bar&lt;/bad&gt; baz&lt;/#{tag_name.upcase}&gt;", input = "<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>"
sanitize_html("<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>") output = "&lt;#{tag_name.upcase} title=\"1\"&gt;foo &lt;bad&gt;bar&lt;/bad&gt; baz&lt;/#{tag_name.upcase}&gt;"
assert_equal "&lt;#{tag_name.upcase} title=\"1\"&gt;foo &lt;bad&gt;bar&lt;/bad&gt; baz&lt;/#{tag_name.upcase}&gt;", check_sanitization(input, output, output, output)
sanitize_rexml("<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>")
end end
end end
HTMLSanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name| HTMLSanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name|
next if attribute_name == 'style' next if attribute_name == 'style'
define_method "test_should_allow_#{attribute_name}_attribute" do define_method "test_should_allow_#{attribute_name}_attribute" do
assert_equal "<p #{attribute_name.downcase}=\"foo\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>", input = "<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>"
sanitize_html("<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>") output = "<p #{attribute_name}='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
assert_equal "<p #{attribute_name}=\"foo\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>", htmloutput = "<p #{attribute_name.downcase}='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
sanitize_xhtml("<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>") check_sanitization(input, htmloutput, output, output)
assert_equal "<p #{attribute_name}=\"foo\">foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>",
sanitize_rexml("<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>")
end end
end end
HTMLSanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name| HTMLSanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name|
define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do
assert_equal "<p>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>", input = "<p #{attribute_name.upcase}='display: none;'>foo <bad>bar</bad> baz</p>"
sanitize_html("<p #{attribute_name.upcase}='display: none;'>foo <bad>bar</bad> baz</p>") output = "<p>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
assert_equal "<p>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>", check_sanitization(input, output, output, output)
sanitize_rexml("<p #{attribute_name.upcase}='display: none;'>foo <bad>bar</bad> baz</p>")
end end
end end
HTMLSanitizer::ALLOWED_PROTOCOLS.each do |protocol| HTMLSanitizer::ALLOWED_PROTOCOLS.each do |protocol|
define_method "test_should_allow_#{protocol}_uris" do define_method "test_should_allow_#{protocol}_uris" do
assert_equal "<a href=\"#{protocol}\">foo</a>", input = %(<a href="#{protocol}">foo</a>)
sanitize_html(%(<a href="#{protocol}">foo</a>)) output = "<a href='#{protocol}'>foo</a>"
assert_equal "<a href=\"#{protocol}\">foo</a>", check_sanitization(input, output, output, output)
sanitize_rexml(%(<a href="#{protocol}">foo</a>))
end end
end end
HTMLSanitizer::ALLOWED_PROTOCOLS.each do |protocol| HTMLSanitizer::ALLOWED_PROTOCOLS.each do |protocol|
define_method "test_should_allow_uppercase_#{protocol}_uris" do define_method "test_should_allow_uppercase_#{protocol}_uris" do
assert_equal "<a href=\"#{protocol.upcase}\">foo</a>", input = %(<a href="#{protocol.upcase}">foo</a>)
sanitize_html(%(<a href="#{protocol.upcase}">foo</a>)) output = "<a href='#{protocol.upcase}'>foo</a>"
assert_equal "<a href=\"#{protocol.upcase}\">foo</a>", check_sanitization(input, output, output, output)
sanitize_rexml(%(<a href="#{protocol.upcase}">foo</a>))
end end
end end
def test_should_allow_anchors def test_should_allow_anchors
assert_equal "<a href=\"foo\">&lt;script&gt;baz&lt;/script&gt;</a>", input = "<a href='foo' onclick='bar'><script>baz</script></a>"
sanitize_html("<a href='foo' onclick='bar'><script>baz</script></a>") output = "<a href='foo'>&lt;script&gt;baz&lt;/script&gt;</a>"
assert_equal "<a href=\"foo\">&lt;script&gt;baz&lt;/script&gt;</a>", check_sanitization(input, output, output, output)
sanitize_rexml("<a href='foo' onclick='bar'><script>baz</script></a>")
end end
# RFC 3986, sec 4.2 # RFC 3986, sec 4.2
def test_allow_colons_in_path_component def test_allow_colons_in_path_component
assert_equal "<a href=\"./this:that\">foo</a>", input = "<a href=\"./this:that\">foo</a>"
sanitize_html("<a href=\"./this:that\">foo</a>") output = "<a href='./this:that'>foo</a>"
assert_equal "<a href=\"./this:that\">foo</a>", check_sanitization(input, output, output, output)
sanitize_rexml("<a href=\"./this:that\">foo</a>")
end end
%w(src width height alt).each do |img_attr| %w(src width height alt).each do |img_attr|
define_method "test_should_allow_image_#{img_attr}_attribute" do define_method "test_should_allow_image_#{img_attr}_attribute" do
assert_equal "<img #{img_attr}=\"foo\"/>", input = "<img #{img_attr}='foo' onclick='bar' />"
sanitize_html("<img #{img_attr}='foo' onclick='bar' />") output = "<img #{img_attr}='foo'/>"
assert_equal "<img #{img_attr}=\"foo\" />", rexmloutput = "<img #{img_attr}='foo' />"
sanitize_rexml("<img #{img_attr}='foo' onclick='bar' />") check_sanitization(input, output, output, rexmloutput)
end end
end end
def test_should_handle_non_html def test_should_handle_non_html
assert_equal 'abc', sanitize_html("abc") input = 'abc'
assert_equal 'abc', sanitize_rexml("abc") output = 'abc'
check_sanitization(input, output, output, output)
end end
def test_should_handle_blank_text def test_should_handle_blank_text
assert_equal '', sanitize_html('') input = ''
assert_equal '', sanitize_rexml('') output = ''
check_sanitization(input, output, output, output)
end end
[%w(img src), %w(a href)].each do |(tag, attr)| [%w(img src), %w(a href)].each do |(tag, attr)|
close = VOID_ELEMENTS.include?(tag) ? "/>boo" : ">boo</#{tag}>" close = VOID_ELEMENTS.include?(tag) ? "/>boo" : ">boo</#{tag}>"
xclose = VOID_ELEMENTS.include?(tag) ? " />" : ">boo</#{tag}>" xclose = VOID_ELEMENTS.include?(tag) ? " />" : ">boo</#{tag}>"
input = %(<#{tag} #{attr}="javascript:XSS" title="1">boo</#{tag}>)
output = %(<#{tag} title='1'#{close})
rexmloutput = %(<#{tag} title='1'#{xclose})
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
assert_equal %(<#{tag} title="1"#{close}), sanitize_html(%(<#{tag} #{attr}="javascript:XSS" title="1">boo</#{tag}>)) check_sanitization(input, output, output, rexmloutput)
assert_equal %(<#{tag} title="1"#{xclose}), sanitize_rexml(%(<#{tag} #{attr}="javascript:XSS" title="1">boo</#{tag}>))
end end
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols_and_whitespace" do define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols_and_whitespace" do
assert_equal %(<#{tag} title="1"#{close}), sanitize_html(%(<#{tag} #{attr}=" javascript:XSS" title="1">boo</#{tag}>)) input = %(<#{tag} #{attr}=" javascript:XSS" title="1">boo</#{tag}>)
assert_equal %(<#{tag} title="1"#{xclose}), sanitize_rexml(%(<#{tag} #{attr}=" javascript:XSS" title="1">boo</#{tag}>)) output = %(<#{tag} title='1'#{close})
rexmloutput = %(<#{tag} title='1'#{xclose})
check_sanitization(input, output, output, rexmloutput)
end end
end end
@ -165,103 +173,129 @@ class SanitizeTest < Test::Unit::TestCase
%(<img src="&#x20;javascript:alert('XSS');" />), %(<img src="&#x20;javascript:alert('XSS');" />),
%(<img src="&#xA0;javascript:alert('XSS');" />)].each_with_index do |img_hack, i| %(<img src="&#xA0;javascript:alert('XSS');" />)].each_with_index do |img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i}" do define_method "test_should_not_fall_for_xss_image_hack_#{i}" do
assert_equal "<img/>", sanitize_html(img_hack) output = "<img/>"
rexmloutput = "<img />"
rexmloutput = "Ill-formed XHTML!" if i == 1
check_sanitization(img_hack, output, output, rexmloutput)
end end
end end
def test_should_sanitize_tag_broken_up_by_null def test_should_sanitize_tag_broken_up_by_null
assert_equal "&lt;scr\357\277\275ipt&gt;alert(\"XSS\")&lt;/scr\357\277\275ipt&gt;", sanitize_html(%(<scr\0ipt>alert(\"XSS\")</scr\0ipt>)) input = %(<scr\0ipt>alert(\"XSS\")</scr\0ipt>)
output = "&lt;scr\357\277\275ipt&gt;alert(\"XSS\")&lt;/scr\357\277\275ipt&gt;"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_should_sanitize_invalid_script_tag def test_should_sanitize_invalid_script_tag
assert_equal "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;", sanitize_html(%(<script/XSS SRC="http://ha.ckers.org/xss.js"></script>)) input = %(<script/XSS SRC="http://ha.ckers.org/xss.js"></script>)
output = "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_should_sanitize_script_tag_with_multiple_open_brackets def test_should_sanitize_script_tag_with_multiple_open_brackets
assert_equal "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;", sanitize_html(%(<<script>alert("XSS");//<</script>)) input = %(<<script>alert("XSS");//<</script>)
assert_equal %(&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;), sanitize_html(%(<iframe src=http://ha.ckers.org/scriptlet.html\n<)) output = "&lt;&lt;script&gt;alert(\"XSS\");//&lt;&lt;/script&gt;"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
input = %(<iframe src=http://ha.ckers.org/scriptlet.html\n<)
output = %(&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\"&gt;&lt;)
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_should_sanitize_unclosed_script def test_should_sanitize_unclosed_script
assert_equal "&lt;script src=\"http://ha.ckers.org/xss.js?\"&gt;<b/>", sanitize_html(%(<script src=http://ha.ckers.org/xss.js?<b>)) input = %(<script src=http://ha.ckers.org/xss.js?<b>)
output = "&lt;script src=\"http://ha.ckers.org/xss.js?\"&gt;<b/>"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_should_sanitize_half_open_scripts def test_should_sanitize_half_open_scripts
assert_equal "<img/>", sanitize_html(%(<img src="javascript:alert('XSS')")) input = %(<img src="javascript:alert('XSS')")
output = "<img/>"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_should_not_fall_for_ridiculous_hack def test_should_not_fall_for_ridiculous_hack
img_hack = %(<img\nsrc\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n />) img_hack = %(<img\nsrc\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n />)
assert_equal "<img/>", sanitize_html(img_hack) output = "<img/>"
assert_equal "<img />", sanitize_rexml(img_hack) rexmloutput = "<img />"
check_sanitization(img_hack, output, output, rexmloutput)
end end
def test_platypus def test_platypus
assert_equal %(<a href=\"http://www.ragingplatypus.com/\" style=\"display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;\">never trust your upstream platypus</a>), input = %(<a href="http://www.ragingplatypus.com/" style="display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;">never trust your upstream platypus</a>)
sanitize_html(%(<a href="http://www.ragingplatypus.com/" style="display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;">never trust your upstream platypus</a>)) output = %(<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>)
assert_equal %(<a href=\"http://www.ragingplatypus.com/\" style=\"display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;\">never trust your upstream platypus</a>), check_sanitization(input, output, output, output)
sanitize_rexml(%(<a href="http://www.ragingplatypus.com/" style="display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;">never trust your upstream platypus</a>))
end end
def test_xul def test_xul
assert_equal %(<p style="">fubar</p>), input = %(<p style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')">fubar</p>)
sanitize_html(%(<p style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')">fubar</p>)) output = %(<p style=''>fubar</p>)
assert_equal %(<p style="">fubar</p>), check_sanitization(input, output, output, output)
sanitize_rexml(%(<p style="-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')">fubar</p>))
end end
def test_input_image def test_input_image
assert_equal %(<input type="image"/>), input = %(<input type="image" src="javascript:alert('XSS');" />)
sanitize_html(%(<input type="image" src="javascript:alert('XSS');" />)) output = %(<input type='image'/>)
assert_equal %(<input type="image" />), rexmloutput = %(<input type='image' />)
sanitize_rexml(%(<input type="image" src="javascript:alert('XSS');" />)) check_sanitization(input, output, output, rexmloutput)
end end
def test_non_alpha_non_digit def test_non_alpha_non_digit
assert_equal "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;", input = %(<script/XSS src="http://ha.ckers.org/xss.js"></script>)
sanitize_html(%(<script/XSS src="http://ha.ckers.org/xss.js"></script>)) output = "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
assert_equal "<a>foo</a>", rexmloutput = "Ill-formed XHTML!"
sanitize_html('<a onclick!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>foo</a>') check_sanitization(input, output, output, rexmloutput)
assert_equal "<img src=\"http://ha.ckers.org/xss.js\"/>",
sanitize_html('<img/src="http://ha.ckers.org/xss.js"/>') input = '<a onclick!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>foo</a>'
output = "<a>foo</a>"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
input = '<img/src="http://ha.ckers.org/xss.js"/>'
output = "<img src='http://ha.ckers.org/xss.js'/>"
rexmloutput = "Ill-formed XHTML!"
check_sanitization(input, output, output, rexmloutput)
end end
def test_img_dynsrc_lowsrc def test_img_dynsrc_lowsrc
assert_equal "<img/>", input = %(<img dynsrc="javascript:alert('XSS')" />)
sanitize_html(%(<img dynsrc="javascript:alert('XSS')" />)) output = "<img/>"
assert_equal "<img />", rexmloutput = "<img />"
sanitize_rexml(%(<img dynsrc="javascript:alert('XSS')" />)) check_sanitization(input, output, output, rexmloutput)
end end
def test_div_background_image_unicode_encoded def test_div_background_image_unicode_encoded
assert_equal '<div style="">foo</div>', input = %(<div style="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">foo</div>)
sanitize_html(%(<div style="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">foo</div>)) output = "<div style=''>foo</div>"
assert_equal '<div style="">foo</div>', check_sanitization(input, output, output, output)
sanitize_rexml(%(<div style="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">foo</div>))
end end
def test_div_expression def test_div_expression
assert_equal '<div style="">foo</div>', input = %(<div style="width: expression(alert('XSS'));">foo</div>)
sanitize_html(%(<div style="width: expression(alert('XSS'));">foo</div>)) output = "<div style=''>foo</div>"
assert_equal '<div style="">foo</div>', check_sanitization(input, output, output, output)
sanitize_rexml(%(<div style="width: expression(alert('XSS'));">foo</div>))
end end
def test_img_vbscript def test_img_vbscript
assert_equal '<img/>', input = %(<img src='vbscript:msgbox("XSS")' />)
sanitize_html(%(<img src='vbscript:msgbox("XSS")' />)) output = '<img/>'
assert_equal '<img />', rexmloutput = '<img />'
sanitize_rexml(%(<img src='vbscript:msgbox("XSS")' />)) check_sanitization(input, output, output, rexmloutput)
end end
def test_should_handle_astral_plane_characters def test_should_handle_astral_plane_characters
assert_equal "<p>\360\235\222\265 \360\235\224\270</p>", input = "<p>&#x1d4b5; &#x1d538;</p>"
sanitize_html("<p>&#x1d4b5; &#x1d538;</p>") output = "<p>\360\235\222\265 \360\235\224\270</p>"
assert_equal "<p>\360\235\222\265 \360\235\224\270</p>", check_sanitization(input, output, output, output)
sanitize_rexml("<p>&#x1d4b5; &#x1d538;</p>")
assert_equal "<p><tspan>\360\235\224\270</tspan> a</p>", input = "<p><tspan>\360\235\224\270</tspan> a</p>"
sanitize_html("<p><tspan>\360\235\224\270</tspan> a</p>") output = "<p><tspan>\360\235\224\270</tspan> a</p>"
assert_equal "<p><tspan>\360\235\224\270</tspan> a</p>", check_sanitization(input, output, output, output)
sanitize_rexml("<p><tspan>\360\235\224\270</tspan> a</p>")
end end
end end