squeegily
/
pleroma
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 42 Wiki Activity
Fork of Pleroma with site-specific changes and feature branches https://git.pleroma.social/pleroma/pleroma
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4739 Commits
154 Branches
503MB
Tree: c26724cc55
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c26724cc55'
${ noResults }
pleroma/test/html_test.exs

93 lines
3.0KB
Raw Blame History 

  1. # Pleroma: A lightweight social networking server

  2. # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>

  3. # SPDX-License-Identifier: AGPL-3.0-only

  4. 

  5. defmodule Pleroma.HTMLTest do

  6.   alias Pleroma.HTML

  7.   use Pleroma.DataCase

  8. 

  9.   @html_sample """

  10.     <b>this is in bold</b>

  11.     <p>this is a paragraph</p>

  12.     this is a linebreak<br />

  13.     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>

  14.     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>

  15.     this is an image: <img src="http://example.com/image.jpg"><br />

  16.     <script>alert('hacked')</script>

  17.   """

  18. 

  19.   @html_onerror_sample """

  20.     <img src="http://example.com/image.jpg" onerror="alert('hacked')">

  21.   """

  22. 

  23.   describe "StripTags scrubber" do

  24.     test "works as expected" do

  25.       expected = """

  26.       this is in bold

  27.         this is a paragraph

  28.         this is a linebreak

  29.         this is a link with allowed "rel" attribute: example.com

  30.         this is a link with not allowed "rel" attribute: example.com

  31.         this is an image: 

  32.         alert('hacked')

  33.       """

  34. 

  35.       assert expected == HTML.strip_tags(@html_sample)

  36.     end

  37. 

  38.     test "does not allow attribute-based XSS" do

  39.       expected = "\n"

  40. 

  41.       assert expected == HTML.strip_tags(@html_onerror_sample)

  42.     end

  43.   end

  44. 

  45.   describe "TwitterText scrubber" do

  46.     test "normalizes HTML as expected" do

  47.       expected = """

  48.       this is in bold

  49.         <p>this is a paragraph</p>

  50.         this is a linebreak<br />

  51.         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>

  52.         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>

  53.         this is an image: <img src="http://example.com/image.jpg" /><br />

  54.         alert('hacked')

  55.       """

  56. 

  57.       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)

  58.     end

  59. 

  60.     test "does not allow attribute-based XSS" do

  61.       expected = """

  62.       <img src="http://example.com/image.jpg" />

  63.       """

  64. 

  65.       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)

  66.     end

  67.   end

  68. 

  69.   describe "default scrubber" do

  70.     test "normalizes HTML as expected" do

  71.       expected = """

  72.       <b>this is in bold</b>

  73.         <p>this is a paragraph</p>

  74.         this is a linebreak<br />

  75.         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>

  76.         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>

  77.         this is an image: <img src="http://example.com/image.jpg" /><br />

  78.         alert('hacked')

  79.       """

  80. 

  81.       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)

  82.     end

  83. 

  84.     test "does not allow attribute-based XSS" do

  85.       expected = """

  86.       <img src="http://example.com/image.jpg" />

  87.       """

  88. 

  89.       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)

  90.     end

  91.   end

  92. end