summaryrefslogtreecommitdiff
path: root/test/html_test.exs
blob: 29cab17f3a7807ca8173f31d3023258aebea8bfb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# Pleroma: A lightweight social networking server
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.HTMLTest do
  alias Pleroma.HTML
  use Pleroma.DataCase

  @html_sample """
    <b>this is in bold</b>
    <p>this is a paragraph</p>
    this is a linebreak<br />
    this is an image: <img src="http://example.com/image.jpg"><br />
    <script>alert('hacked')</script>
  """

  @html_onerror_sample """
    <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  """

  describe "StripTags scrubber" do
    test "works as expected" do
      expected = """
      this is in bold
        this is a paragraph
        this is a linebreak
        this is an image: 
        alert('hacked')
      """

      assert expected == HTML.strip_tags(@html_sample)
    end

    test "does not allow attribute-based XSS" do
      expected = "\n"

      assert expected == HTML.strip_tags(@html_onerror_sample)
    end
  end

  describe "TwitterText scrubber" do
    test "normalizes HTML as expected" do
      expected = """
      this is in bold
        <p>this is a paragraph</p>
        this is a linebreak<br />
        this is an image: <img src="http://example.com/image.jpg" /><br />
        alert('hacked')
      """

      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
    end

    test "does not allow attribute-based XSS" do
      expected = """
      <img src="http://example.com/image.jpg" />
      """

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
    end
  end

  describe "default scrubber" do
    test "normalizes HTML as expected" do
      expected = """
      <b>this is in bold</b>
        <p>this is a paragraph</p>
        this is a linebreak<br />
        this is an image: <img src="http://example.com/image.jpg" /><br />
        alert('hacked')
      """

      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
    end

    test "does not allow attribute-based XSS" do
      expected = """
      <img src="http://example.com/image.jpg" />
      """

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
    end
  end
end
generated by cgit v1.2.3 (git 2.44.0) at 2024-05-02 03:11:59 +0000