"))
assert_equal("Weirdos", sanitizer.sanitize("Wei<a onclick='alert(document.cookie);'/>rdos"))
assert_equal("This is a test.", sanitizer.sanitize("This is a test."))
assert_equal(
%{This is a test.\n\n\nIt no longer contains any HTML.\n}, sanitizer.sanitize(
%{This is a test.\n\n\n\n
It no longer contains any HTML.
\n}))
assert_equal "This has a here.", sanitizer.sanitize("This has a here.")
assert_equal "This has a here.", sanitizer.sanitize("This has a ]]> here.")
assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed ]] here...")
[nil, '', ' '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
assert_nothing_raised { sanitizer.sanitize("This is a frozen string with no tags".freeze) }
end
def test_strip_links
sanitizer = HTML::LinkSanitizer.new
assert_equal "Dont touch me", sanitizer.sanitize("Dont touch me")
assert_equal "on my mind\nall day long", sanitizer.sanitize("on my mind\nall day long")
assert_equal "0wn3d", sanitizer.sanitize("0wn3d")
assert_equal "Magic", sanitizer.sanitize("Magic")
assert_equal "FrrFox", sanitizer.sanitize("FrrFox")
assert_equal "My mind\nall day long", sanitizer.sanitize("My mind\nall day long")
assert_equal "all day long", sanitizer.sanitize("<a href='hello'>all day long</a>")
assert_equal "", ''
end
def test_sanitize_plaintext
raw = "foo"
assert_sanitized raw, "foo"
end
def test_sanitize_script
assert_sanitized "a b cd e f", "a b cd e f"
end
# TODO: Clean up
def test_sanitize_js_handlers
raw = %{onthis="do that" hello}
assert_sanitized raw, %{onthis="do that" hello}
end
def test_sanitize_javascript_href
raw = %{href="javascript:bang" foo, bar}
assert_sanitized raw, %{href="javascript:bang" foo, bar}
end
def test_sanitize_image_src
raw = %{src="javascript:bang" foo, bar}
assert_sanitized raw, %{src="javascript:bang" foo, bar}
end
HTML::WhiteListSanitizer.allowed_tags.each do |tag_name|
define_method "test_should_allow_#{tag_name}_tag" do
assert_sanitized "start <#{tag_name} title=\"1\" onclick=\"foo\">foo bar baz#{tag_name}> end", %(start <#{tag_name} title="1">foo bar baz#{tag_name}> end)
end
end
def test_should_allow_anchors
assert_sanitized %(), %()
end
# RFC 3986, sec 4.2
def test_allow_colons_in_path_component
assert_sanitized("foo")
end
%w(src width height alt).each do |img_attr|
define_method "test_should_allow_image_#{img_attr}_attribute" do
assert_sanitized %(), %()
end
end
def test_should_handle_non_html
assert_sanitized 'abc'
end
def test_should_handle_blank_text
assert_sanitized nil
assert_sanitized ''
end
def test_should_allow_custom_tags
text = "foo"
sanitizer = HTML::WhiteListSanitizer.new
assert_equal(text, sanitizer.sanitize(text, :tags => %w(u)))
end
def test_should_allow_only_custom_tags
text = "foo with bar"
sanitizer = HTML::WhiteListSanitizer.new
assert_equal("foo with bar", sanitizer.sanitize(text, :tags => %w(u)))
end
def test_should_allow_custom_tags_with_attributes
text = %(
foo
)
sanitizer = HTML::WhiteListSanitizer.new
assert_equal(text, sanitizer.sanitize(text))
end
def test_should_allow_custom_tags_with_custom_attributes
text = %(
Lorem ipsum
)
sanitizer = HTML::WhiteListSanitizer.new
assert_equal(text, sanitizer.sanitize(text, :attributes => ['foo']))
end
[%w(img src), %w(a href)].each do |(tag, attr)|
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo#{tag}>), %(<#{tag} title="1">boo#{tag}>)
end
end
def test_should_flag_bad_protocols
sanitizer = HTML::WhiteListSanitizer.new
%w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto|
assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
end
end
def test_should_accept_good_protocols_ignoring_case
sanitizer = HTML::WhiteListSanitizer.new
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
end
end
def test_should_accept_good_protocols
sanitizer = HTML::WhiteListSanitizer.new
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://good")
end
end
def test_should_reject_hex_codes_in_protocol
assert_sanitized %(1), "1"
assert @sanitizer.send(:contains_bad_protocols?, 'src', "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29")
end
def test_should_block_script_tag
assert_sanitized %(), ""
end
[%(),
%(),
%(),
%(">),
%(),
%(),
%(),
%(),
%(),
%(),
%(),
%(),
%(),
%(),
%()].each_with_index do |img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
assert_sanitized img_hack, ""
end
end
def test_should_sanitize_tag_broken_up_by_null
assert_sanitized %(alert(\"XSS\")), "alert(\"XSS\")"
end
def test_should_sanitize_invalid_script_tag
assert_sanitized %(), ""
end
def test_should_sanitize_script_tag_with_multiple_open_brackets
assert_sanitized %(<), "<"
assert_sanitized %(