squeegily
/
pleroma
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 42 Wiki Activity
Fork of Pleroma with site-specific changes and feature branches https://git.pleroma.social/pleroma/pleroma
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3900 Commits
154 Branches
503MB
Tree: fc35481445
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fc35481445'
${ noResults }
pleroma/test/html_test.exs

85 lines
2.2KB
Raw Blame History 

  1. # Pleroma: A lightweight social networking server

  2. # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>

  3. # SPDX-License-Identifier: AGPL-3.0-only

  4. 

  5. defmodule Pleroma.HTMLTest do

  6.   alias Pleroma.HTML

  7.   use Pleroma.DataCase

  8. 

  9.   @html_sample """

  10.     <b>this is in bold</b>

  11.     <p>this is a paragraph</p>

  12.     this is a linebreak<br />

  13.     this is an image: <img src="http://example.com/image.jpg"><br />

  14.     <script>alert('hacked')</script>

  15.   """

  16. 

  17.   @html_onerror_sample """

  18.     <img src="http://example.com/image.jpg" onerror="alert('hacked')">

  19.   """

  20. 

  21.   describe "StripTags scrubber" do

  22.     test "works as expected" do

  23.       expected = """

  24.       this is in bold

  25.         this is a paragraph

  26.         this is a linebreak

  27.         this is an image: 

  28.         alert('hacked')

  29.       """

  30. 

  31.       assert expected == HTML.strip_tags(@html_sample)

  32.     end

  33. 

  34.     test "does not allow attribute-based XSS" do

  35.       expected = "\n"

  36. 

  37.       assert expected == HTML.strip_tags(@html_onerror_sample)

  38.     end

  39.   end

  40. 

  41.   describe "TwitterText scrubber" do

  42.     test "normalizes HTML as expected" do

  43.       expected = """

  44.       this is in bold

  45.         <p>this is a paragraph</p>

  46.         this is a linebreak<br />

  47.         this is an image: <img src="http://example.com/image.jpg" /><br />

  48.         alert('hacked')

  49.       """

  50. 

  51.       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)

  52.     end

  53. 

  54.     test "does not allow attribute-based XSS" do

  55.       expected = """

  56.       <img src="http://example.com/image.jpg" />

  57.       """

  58. 

  59.       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)

  60.     end

  61.   end

  62. 

  63.   describe "default scrubber" do

  64.     test "normalizes HTML as expected" do

  65.       expected = """

  66.       <b>this is in bold</b>

  67.         <p>this is a paragraph</p>

  68.         this is a linebreak<br />

  69.         this is an image: <img src="http://example.com/image.jpg" /><br />

  70.         alert('hacked')

  71.       """

  72. 

  73.       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)

  74.     end

  75. 

  76.     test "does not allow attribute-based XSS" do

  77.       expected = """

  78.       <img src="http://example.com/image.jpg" />

  79.       """

  80. 

  81.       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)

  82.     end

  83.   end

  84. end