#!/usr/bin/env ruby
require File.expand_path(File.join(File.dirname(__FILE__), '/../test_helper'))
require 'sanitize'
class SanitizeTest < Test::Unit::TestCase
include Sanitize
def setup
end
Sanitize::ALLOWED_ELEMENTS.each do |tag_name|
define_method "test_should_allow_#{tag_name}_tag" do
assert_equal "<#{tag_name} title=\"1\">foo <bad>bar</bad> baz",
sanitize_html("<#{tag_name} title='1'>foo bar baz")
end
end
Sanitize::ALLOWED_ELEMENTS.each do |tag_name|
define_method "test_should_forbid_#{tag_name.upcase}_tag" do
assert_equal "<#{tag_name.upcase} title=\"1\">foo <bad>bar</bad> baz</#{tag_name.upcase}>",
sanitize_html("<#{tag_name.upcase} title='1'>foo bar baz")
end
end
Sanitize::ALLOWED_ATTRIBUTES.each do |attribute_name|
if attribute_name != 'style'
define_method "test_should_allow_#{attribute_name}_attribute" do
assert_equal "foo <bad>bar</bad> baz
",
sanitize_html("foo bar baz
")
end
end
end
Sanitize::ALLOWED_ATTRIBUTES.each do |attribute_name|
define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do
assert_equal "foo <bad>bar</bad> baz
",
sanitize_html("foo bar baz
")
end
end
Sanitize::ALLOWED_PROTOCOLS.each do |protocol|
define_method "test_should_allow_#{protocol}_uris" do
assert_equal "foo",
sanitize_html(%(foo))
end
end
Sanitize::ALLOWED_PROTOCOLS.each do |protocol|
define_method "test_should_allow_uppercase_#{protocol}_uris" do
assert_equal "foo",
sanitize_html(%(foo))
end
end
def test_should_allow_anchors
assert_equal "<script>baz</script>",
sanitize_html("")
end
# RFC 3986, sec 4.2
def test_allow_colons_in_path_component
assert_equal "foo",
sanitize_html("foo")
end
%w(src width height alt).each do |img_attr|
define_method "test_should_allow_image_#{img_attr}_attribute" do
assert_equal "![]()
",
sanitize_html("![]()
")
end
end
def test_should_handle_non_html
assert_equal 'abc', sanitize_html("abc")
end
def test_should_handle_blank_text
assert_equal '', sanitize_html('')
end
[%w(img src), %w(a href)].each do |(tag, attr)|
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
assert_equal %(<#{tag} title="1">boo), sanitize_html(%(<#{tag} #{attr}="javascript:XSS" title="1">boo))
end
end
[%w(img src), %w(a href)].each do |(tag, attr)|
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols_and_whitespace" do
assert_equal %(<#{tag} title="1">boo), sanitize_html(%(<#{tag} #{attr}=" javascript:XSS" title="1">boo))
end
end
[%(;)
),
%()
),
%()
),
%(![](javascript:alert("XSS"))
),
%())
),
%(),
%(),
%(),
%(;)
),
%(;)
),
%(;)
),
%(;)
),
%(;)
),
%(;)
),
%(;)
)].each_with_index do |img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i}" do
assert_equal "![]()
", sanitize_html(img_hack)
end
end
def test_should_sanitize_tag_broken_up_by_null
assert_equal "<scr>alert(\"XSS\")</scr>", sanitize_html(%(alert(\"XSS\")))
end
def test_should_sanitize_invalid_script_tag
assert_equal "<script /></script>", sanitize_html(%())
end
def test_should_sanitize_script_tag_with_multiple_open_brackets
assert_equal "<<script>alert(\"XSS\");//<</script>", sanitize_html(%(<))
assert_equal %(<iframe src="http:" /><), sanitize_html(%(", sanitize_html(%())
assert_equal "foo",
sanitize_html('foo')
assert_equal "![]()
",
sanitize_html('
')
end
def test_img_dynsrc_lowsrc
assert_equal "![]()
",
sanitize_html(%(![]()
))
assert_equal "![]()
",
sanitize_html(%(![]()
))
end
def test_div_background_image_unicode_encoded
assert_equal 'foo
',
sanitize_html(%(foo
))
end
def test_div_expression
assert_equal 'foo
',
sanitize_html(%(foo
))
end
def test_img_vbscript
assert_equal '![]()
',
sanitize_html(%(![](vbscript:msgbox("XSS"))
))
end
end