diff --git a/test/unit/sanitize_test.rb b/test/unit/sanitize_test.rb deleted file mode 100644 index 9ac2247e..00000000 --- a/test/unit/sanitize_test.rb +++ /dev/null @@ -1,187 +0,0 @@ -#!/usr/bin/env ruby - -require File.expand_path(File.join(File.dirname(__FILE__), '/../test_helper')) -require 'sanitize' - -class SanitizeTest < Test::Unit::TestCase - include Sanitize - - def setup - - end - - Sanitize::ALLOWED_ELEMENTS.each do |tag_name| - define_method "test_should_allow_#{tag_name}_tag" do - assert_equal "<#{tag_name} title=\"1\">foo <bad>bar</bad> baz", - sanitize_html("<#{tag_name} title='1'>foo bar baz") - end - end - - Sanitize::ALLOWED_ELEMENTS.each do |tag_name| - define_method "test_should_forbid_#{tag_name.upcase}_tag" do - assert_equal "<#{tag_name.upcase} title=\"1\">foo <bad>bar</bad> baz</#{tag_name.upcase}>", - sanitize_html("<#{tag_name.upcase} title='1'>foo bar baz") - end - end - - Sanitize::ALLOWED_ATTRIBUTES.each do |attribute_name| - if attribute_name != 'style' - define_method "test_should_allow_#{attribute_name}_attribute" do - assert_equal "

foo <bad>bar</bad> baz

", - sanitize_html("

foo bar baz

") - end - end - end - - Sanitize::ALLOWED_ATTRIBUTES.each do |attribute_name| - define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do - assert_equal "

foo <bad>bar</bad> baz

", - sanitize_html("

foo bar baz

") - end - end - - Sanitize::ALLOWED_PROTOCOLS.each do |protocol| - define_method "test_should_allow_#{protocol}_uris" do - assert_equal "foo", - sanitize_html(%(foo)) - end - end - - Sanitize::ALLOWED_PROTOCOLS.each do |protocol| - define_method "test_should_allow_uppercase_#{protocol}_uris" do - assert_equal "foo", - sanitize_html(%(foo)) - end - end - - def test_should_allow_anchors - assert_equal "<script>baz</script>", - sanitize_html("") - end - - # RFC 3986, sec 4.2 - def test_allow_colons_in_path_component - assert_equal "foo", - sanitize_html("foo") - end - - %w(src width height alt).each do |img_attr| - define_method "test_should_allow_image_#{img_attr}_attribute" do - assert_equal "", - sanitize_html("") - end - end - - def test_should_handle_non_html - assert_equal 'abc', sanitize_html("abc") - end - - def test_should_handle_blank_text - assert_equal '', sanitize_html('') - end - - [%w(img src), %w(a href)].each do |(tag, attr)| - define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do - assert_equal %(<#{tag} title="1">boo), sanitize_html(%(<#{tag} #{attr}="javascript:XSS" title="1">boo)) - end - end - - [%w(img src), %w(a href)].each do |(tag, attr)| - define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols_and_whitespace" do - assert_equal %(<#{tag} title="1">boo), sanitize_html(%(<#{tag} #{attr}=" javascript:XSS" title="1">boo)) - end - end - - [%(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %(), - %()].each_with_index do |img_hack, i| - define_method "test_should_not_fall_for_xss_image_hack_#{i}" do - assert_equal "", sanitize_html(img_hack) - end - end - - def test_should_sanitize_tag_broken_up_by_null - assert_equal "<scr>alert(\"XSS\")</scr>", sanitize_html(%(alert(\"XSS\"))) - end - - def test_should_sanitize_invalid_script_tag - assert_equal "<script /></script>", sanitize_html(%()) - end - - def test_should_sanitize_script_tag_with_multiple_open_brackets - assert_equal "<<script>alert(\"XSS\");//<</script>", sanitize_html(%(<)) - assert_equal %(<iframe src="http:" /><), sanitize_html(%(