2017-04-13 04:52:24 +02:00
// Copyright 2017 The Gitea Authors. All rights reserved.
// Copyright 2017 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
2017-09-17 01:17:57 +08:00
package markup
2017-04-13 04:52:24 +02:00
import (
2021-04-06 02:35:50 +02:00
"html/template"
"strings"
2017-04-13 04:52:24 +02:00
"testing"
"github.com/stretchr/testify/assert"
)
func Test_Sanitizer ( t * testing . T ) {
NewSanitizer ( )
testCases := [ ] string {
// Regular
` <a onblur="alert(secret)" href="http://www.google.com">Google</a> ` , ` <a href="http://www.google.com" rel="nofollow">Google</a> ` ,
// Code highlighting class
` <code class="random string"></code> ` , ` <code></code> ` ,
` <code class="language-random ui tab active menu attached animating sidebar following bar center"></code> ` , ` <code></code> ` ,
` <code class="language-go"></code> ` , ` <code class="language-go"></code> ` ,
// Input checkbox
` <input type="hidden"> ` , ` ` ,
` <input type="checkbox"> ` , ` <input type="checkbox"> ` ,
` <input checked disabled autofocus> ` , ` <input checked="" disabled=""> ` ,
// Code highlight injection
` <code class="language-random ui tab active menu attached animating sidebar following bar center"></code> ` , ` <code></code> ` ,
` < code class = "language-lol ui tab active menu attached animating sidebar following bar center" >
< code class = "language-lol ui container input huge basic segment center" > & nbsp ; < / code >
< img src = "https://try.gogs.io/img/favicon.png" width = "200" height = "200" >
< code class = "language-lol ui container input massive basic segment" > Hello there ! Something has gone wrong , we are working on it . < / code >
< code class = "language-lol ui container input huge basic segment" > In the meantime , play a game with us at & nbsp ; < a href = "http://example.com/" > example . com < / a > . < / code >
< / code > ` , "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>" ,
2019-12-03 13:02:41 -06:00
// <kbd> tags
` <kbd>Ctrl + C</kbd> ` , ` <kbd>Ctrl + C</kbd> ` ,
2020-05-03 21:17:24 +01:00
` <i class="dropdown icon">NAUGHTY</i> ` , ` <i>NAUGHTY</i> ` ,
` <i class="icon dropdown"></i> ` , ` <i class="icon dropdown"></i> ` ,
` <span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>unchecked</label></span> ` , ` <span class="ui checkbox"><input type="checkbox" readonly="readonly"/><label>unchecked</label></span> ` ,
` <span class="emoji dropdown">NAUGHTY</span> ` , ` <span>NAUGHTY</span> ` ,
` <span class="emoji">contents</span> ` , ` <span class="emoji">contents</span> ` ,
2017-04-13 04:52:24 +02:00
}
for i := 0 ; i < len ( testCases ) ; i += 2 {
assert . Equal ( t , testCases [ i + 1 ] , Sanitize ( testCases [ i ] ) )
assert . Equal ( t , testCases [ i + 1 ] , string ( SanitizeBytes ( [ ] byte ( testCases [ i ] ) ) ) )
}
}
2021-04-06 02:35:50 +02:00
func TestSanitizeNonEscape ( t * testing . T ) {
descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>"
output := template . HTML ( Sanitize ( string ( descStr ) ) )
if strings . Contains ( string ( output ) , "<script>" ) {
t . Errorf ( "un-escaped <script> in output: %q" , output )
}
}