diff --git a/test/sanitizer.dat b/test/sanitizer.dat index 064fa5cc..f7cdf51e 100644 --- a/test/sanitizer.dat +++ b/test/sanitizer.dat @@ -1,9 +1,9 @@ [ { "name": "IE_Comments", - "input": "", - "output": "", - "xhtml": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->" + "input": "a", + "output": "a", + "xhtml": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->a" }, { @@ -211,7 +211,8 @@ { "name": "should_handle_blank_text", "input": "", - "output": "" + "output": "
", + "xhtml": "" }, { @@ -503,7 +504,8 @@ { "name": "attributes_with_embedded_quotes", "input": "", - "output": "", + "output": "", + "xhtml": "", "rexml": "Ill-formed XHTML!" }, diff --git a/test/unit/sanitize_test.rb b/test/unit/sanitize_test.rb index 37260516..fb897b6c 100644 --- a/test/unit/sanitize_test.rb +++ b/test/unit/sanitize_test.rb @@ -2,6 +2,8 @@ require File.expand_path(File.dirname(__FILE__) + '/../test_helper') require 'sanitize' +require 'json' + class SanitizeTest < Test::Unit::TestCase @@ -11,6 +13,14 @@ class SanitizeTest < Test::Unit::TestCase end + def do_sanitize_xhtml stream + safe_sanitize_xhtml(stream) + end + + def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput) + assert_equal htmloutput, do_sanitize_xhtml(input) + end + def rexml_doc(string) REXML::Document.new( "foo
foo <bad>bar</bad> baz
" + htmloutput = "foo <bad>bar</bad> baz
" + check_sanitization(input, output, output, output) + end + end + + Sanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name| + define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do + input = "foo
foo <bad>bar</bad> baz
" + check_sanitization(input, output, output, output) + end + end + + Sanitizer::ALLOWED_PROTOCOLS.each do |protocol| + define_method "test_should_allow_#{protocol}_uris" do + input = %(foo) + output = "foo" + check_sanitization(input, output, output, output) + end + end + + Sanitizer::ALLOWED_PROTOCOLS.each do |protocol| + define_method "test_should_allow_uppercase_#{protocol}_uris" do + input = %(foo) + output = "foo" + check_sanitization(input, output, output, output) + end + end + + Sanitizer::SVG_ALLOW_LOCAL_HREF.each do |tag_name| + next unless Sanitizer::ALLOWED_ELEMENTS.include?(tag_name) + define_method "test_#{tag_name}_should_allow_local_href_with_ns_decl" do + input = %(<#{tag_name} xlink:href="#foo" xmlns:xlink='http://www.w3.org/1999/xlink'/>) + output = "<#{tag_name.downcase} xlink:href='#foo' xmlns:xlink='http://www.w3.org/1999/xlink'/>" + xhtmloutput = "<#{tag_name} xlink:href='#foo' xmlns:xlink='http://www.w3.org/1999/xlink'/>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + + define_method "test_#{tag_name}_should_allow_local_href_with_newline_and_ns_decl" do + input = %(<#{tag_name} xlink:href="\n#foo" xmlns:xlink='http://www.w3.org/1999/xlink'/>) + output = "<#{tag_name.downcase} xlink:href='\n#foo' xmlns:xlink='http://www.w3.org/1999/xlink'/>" + xhtmloutput = "<#{tag_name} xlink:href='\n#foo' xmlns:xlink='http://www.w3.org/1999/xlink'/>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + + define_method "test_#{tag_name}_should_forbid_local_href_without_ns_decl" do + input = %(<#{tag_name} xlink:href="#foo"/>) + output = "<#{tag_name.downcase} xlink:href='#foo'/>" + xhtmloutput = "<#{tag_name} xlink:href='#foo'></#{tag_name}>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + + define_method "test_#{tag_name}_should_forbid_local_href_with_newline_without_ns_decl" do + input = %(<#{tag_name} xlink:href="\n#foo"/>) + output = "<#{tag_name.downcase} xlink:href='\n#foo'/>" + xhtmloutput = "<#{tag_name} xlink:href='\n#foo'></#{tag_name}>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + + define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_ns_decl" do + input = %(<#{tag_name} xlink:href="http://bad.com/foo" xmlns:xlink='http://www.w3.org/1999/xlink'/>) + output = "<#{tag_name.downcase} xmlns:xlink='http://www.w3.org/1999/xlink'/>" + xhtmloutput = "<#{tag_name} xmlns:xlink='http://www.w3.org/1999/xlink'/>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + + define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline_and_ns_decl" do + input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo" xmlns:xlink='http://www.w3.org/1999/xlink'/>) + output = "<#{tag_name.downcase} xmlns:xlink='http://www.w3.org/1999/xlink'/>" + xhtmloutput = "<#{tag_name} xmlns:xlink='http://www.w3.org/1999/xlink'/>" + check_sanitization(input, xhtmloutput, xhtmloutput, xhtmloutput) + end + end + + def test_should_handle_astral_plane_characters + input = "𝒵 𝔸
" + output = "\360\235\222\265 \360\235\224\270
" + check_sanitization(input, output, output, output) + + input = "