// Copyright 2017 The Gitea Authors. All rights reserved. // Copyright 2017 The Gogs Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. package markup import ( "html/template" "strings" "testing" "github.com/stretchr/testify/assert" ) func Test_Sanitizer(t *testing.T) { NewSanitizer() testCases := []string{ // Regular `<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`, // Code highlighting class `<code class="random string"></code>`, `<code></code>`, `<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`, `<code class="language-go"></code>`, `<code class="language-go"></code>`, // Input checkbox `<input type="hidden">`, ``, `<input type="checkbox">`, `<input type="checkbox">`, `<input checked disabled autofocus>`, `<input checked="" disabled="">`, // Code highlight injection `<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`, `<code class="language-lol ui tab active menu attached animating sidebar following bar center"> <code class="language-lol ui container input huge basic segment center"> </code> <img src="https://try.gogs.io/img/favicon.png" width="200" height="200"> <code class="language-lol ui container input massive basic segment">Hello there! Something has gone wrong, we are working on it.</code> <code class="language-lol ui container input huge basic segment">In the meantime, play a game with us at <a href="http://example.com/">example.com</a>.</code> </code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>", // <kbd> tags `<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`, `<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`, `<i class="icon dropdown"></i>`, `<i class="icon dropdown"></i>`, `<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`, `<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`, `<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`, // Color property `<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`, `<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`, `<code style="color: red">Hello World</code>`, `<code>Hello World</code>`, `<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`, `<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`, `<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`, } for i := 0; i < len(testCases); i += 2 { assert.Equal(t, testCases[i+1], Sanitize(testCases[i])) } } func TestSanitizeNonEscape(t *testing.T) { descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>" output := template.HTML(Sanitize(descStr)) if strings.Contains(string(output), "<script>") { t.Errorf("un-escaped <script> in output: %q", output) } }