93 lines
3 KiB
Elixir
93 lines
3 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.HTMLTest do
|
|
alias Pleroma.HTML
|
|
use Pleroma.DataCase
|
|
|
|
@html_sample """
|
|
<b>this is in bold</b>
|
|
<p>this is a paragraph</p>
|
|
this is a linebreak<br />
|
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
|
|
this is an image: <img src="http://example.com/image.jpg"><br />
|
|
<script>alert('hacked')</script>
|
|
"""
|
|
|
|
@html_onerror_sample """
|
|
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
|
"""
|
|
|
|
describe "StripTags scrubber" do
|
|
test "works as expected" do
|
|
expected = """
|
|
this is in bold
|
|
this is a paragraph
|
|
this is a linebreak
|
|
this is a link with allowed "rel" attribute: example.com
|
|
this is a link with not allowed "rel" attribute: example.com
|
|
this is an image:
|
|
alert('hacked')
|
|
"""
|
|
|
|
assert expected == HTML.strip_tags(@html_sample)
|
|
end
|
|
|
|
test "does not allow attribute-based XSS" do
|
|
expected = "\n"
|
|
|
|
assert expected == HTML.strip_tags(@html_onerror_sample)
|
|
end
|
|
end
|
|
|
|
describe "TwitterText scrubber" do
|
|
test "normalizes HTML as expected" do
|
|
expected = """
|
|
this is in bold
|
|
<p>this is a paragraph</p>
|
|
this is a linebreak<br />
|
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
|
alert('hacked')
|
|
"""
|
|
|
|
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
|
|
end
|
|
|
|
test "does not allow attribute-based XSS" do
|
|
expected = """
|
|
<img src="http://example.com/image.jpg" />
|
|
"""
|
|
|
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
|
|
end
|
|
end
|
|
|
|
describe "default scrubber" do
|
|
test "normalizes HTML as expected" do
|
|
expected = """
|
|
<b>this is in bold</b>
|
|
<p>this is a paragraph</p>
|
|
this is a linebreak<br />
|
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
|
alert('hacked')
|
|
"""
|
|
|
|
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
|
|
end
|
|
|
|
test "does not allow attribute-based XSS" do
|
|
expected = """
|
|
<img src="http://example.com/image.jpg" />
|
|
"""
|
|
|
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
|
|
end
|
|
end
|
|
end
|