|
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 |
- # Pleroma: A lightweight social networking server
- # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
- # SPDX-License-Identifier: AGPL-3.0-only
-
- defmodule Pleroma.HTMLTest do
- alias Pleroma.HTML
- use Pleroma.DataCase
-
- @html_sample """
- <b>this is in bold</b>
- <p>this is a paragraph</p>
- this is a linebreak<br />
- this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
- this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
- this is an image: <img src="http://example.com/image.jpg"><br />
- <script>alert('hacked')</script>
- """
-
- @html_onerror_sample """
- <img src="http://example.com/image.jpg" onerror="alert('hacked')">
- """
-
- describe "StripTags scrubber" do
- test "works as expected" do
- expected = """
- this is in bold
- this is a paragraph
- this is a linebreak
- this is a link with allowed "rel" attribute: example.com
- this is a link with not allowed "rel" attribute: example.com
- this is an image:
- alert('hacked')
- """
-
- assert expected == HTML.strip_tags(@html_sample)
- end
-
- test "does not allow attribute-based XSS" do
- expected = "\n"
-
- assert expected == HTML.strip_tags(@html_onerror_sample)
- end
- end
-
- describe "TwitterText scrubber" do
- test "normalizes HTML as expected" do
- expected = """
- this is in bold
- <p>this is a paragraph</p>
- this is a linebreak<br />
- this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
- this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
- this is an image: <img src="http://example.com/image.jpg" /><br />
- alert('hacked')
- """
-
- assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
- end
-
- test "does not allow attribute-based XSS" do
- expected = """
- <img src="http://example.com/image.jpg" />
- """
-
- assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
- end
- end
-
- describe "default scrubber" do
- test "normalizes HTML as expected" do
- expected = """
- <b>this is in bold</b>
- <p>this is a paragraph</p>
- this is a linebreak<br />
- this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
- this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
- this is an image: <img src="http://example.com/image.jpg" /><br />
- alert('hacked')
- """
-
- assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
- end
-
- test "does not allow attribute-based XSS" do
- expected = """
- <img src="http://example.com/image.jpg" />
- """
-
- assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
- end
- end
- end
|