blob: f98e7745f88c73fd42cdcea516dad4113443e6af (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
# Pleroma: A lightweight social networking server
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.HTMLTest do
alias Pleroma.HTML
use Pleroma.DataCase
@html_sample """
<b>this is in bold</b>
<p>this is a paragraph</p>
this is a linebreak<br />
this is an image: <img src="http://example.com/image.jpg"><br />
<script>alert('hacked')</script>
"""
@html_onerror_sample """
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
"""
@html_span_class_sample """
<span class="animate-spin">hi</span>
"""
@html_span_microformats_sample """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
@html_span_invalid_microformats_sample """
<span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
"""
describe "StripTags scrubber" do
test "works as expected" do
expected = """
this is in bold
this is a paragraph
this is a linebreak
this is an image:
alert('hacked')
"""
assert expected == HTML.strip_tags(@html_sample)
end
test "does not allow attribute-based XSS" do
expected = "\n"
assert expected == HTML.strip_tags(@html_onerror_sample)
end
end
describe "TwitterText scrubber" do
test "normalizes HTML as expected" do
expected = """
this is in bold
<p>this is a paragraph</p>
this is a linebreak<br />
this is an image: <img src="http://example.com/image.jpg" /><br />
alert('hacked')
"""
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does not allow attribute-based XSS" do
expected = """
<img src="http://example.com/image.jpg" />
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does not allow spans with invalid classes" do
expected = """
<span>hi</span>
"""
assert expected ==
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does allow microformats" do
expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "filters invalid microformats markup" do
expected = """
<span class="h-card"><a>@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(
@html_span_invalid_microformats_sample,
Pleroma.HTML.Scrubber.TwitterText
)
end
end
describe "default scrubber" do
test "normalizes HTML as expected" do
expected = """
<b>this is in bold</b>
<p>this is a paragraph</p>
this is a linebreak<br />
this is an image: <img src="http://example.com/image.jpg" /><br />
alert('hacked')
"""
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
end
test "does not allow attribute-based XSS" do
expected = """
<img src="http://example.com/image.jpg" />
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
end
test "does not allow spans with invalid classes" do
expected = """
<span>hi</span>
"""
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
end
test "does allow microformats" do
expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
end
test "filters invalid microformats markup" do
expected = """
<span class="h-card"><a>@<span>foo</span></a></span>
"""
assert expected ==
HTML.filter_tags(
@html_span_invalid_microformats_sample,
Pleroma.HTML.Scrubber.Default
)
end
end
end
|
