debian-mirror-gitlab/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Banzai::Filter::BroadcastMessageSanitizationFilter do
  include FilterSpecHelper

  it_behaves_like 'default allowlist'

  describe 'custom allowlist' do
    it_behaves_like 'XSS prevention'
    it_behaves_like 'sanitize link'

    subject { filter(exp).to_html }

    context 'allows `a` elements' do
      let(:exp) { %q{<a href="/">Link</a>} }

      it { is_expected.to eq(exp) }
    end

    context 'allows `br` elements' do
      let(:exp) { %q{Hello<br>World} }

      it { is_expected.to eq(exp) }
    end

    context 'when `a` elements have `style` attribute' do
      let(:allowed_style) { 'color: red; border: blue; background: green; padding: 10px; margin: 10px; text-decoration: underline;' }

      context 'allows specific properties' do
        let(:exp) { %{<a href="#" style="#{allowed_style}">Stylish Link</a>} }

        it { is_expected.to eq(exp) }
      end

      it 'disallows other properties in `style` attribute on `a` elements' do
        style = [allowed_style, 'position: fixed'].join(';')
        doc = filter(%{<a href="#" style="#{style}">Stylish Link</a>})

        expect(doc.at_css('a')['style']).to eq(allowed_style)
      end
    end

    context 'allows `class` on `a` elements' do
      let(:exp) { %q{<a href="#" class="btn">Button Link</a>} }

      it { is_expected.to eq(exp) }
    end
  end
end
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`# frozen_string_literal: true`

			`require 'spec_helper'`

New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`RSpec.describe Banzai::Filter::BroadcastMessageSanitizationFilter do`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`include FilterSpecHelper`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`it_behaves_like 'default allowlist'`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`describe 'custom allowlist' do`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`it_behaves_like 'XSS prevention'`
			`it_behaves_like 'sanitize link'`

			`subject { filter(exp).to_html }`

			context 'allows `a` elements' do
			`let(:exp) { %q{<a href="/">Link</a>} }`

			`it { is_expected.to eq(exp) }`
			`end`

			context 'allows `br` elements' do
			`let(:exp) { %q{Hello<br>World} }`

			`it { is_expected.to eq(exp) }`
			`end`

			context 'when `a` elements have `style` attribute' do
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`let(:allowed_style) { 'color: red; border: blue; background: green; padding: 10px; margin: 10px; text-decoration: underline;' }`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
			`context 'allows specific properties' do`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`let(:exp) { %{<a href="#" style="#{allowed_style}">Stylish Link</a>} }`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
			`it { is_expected.to eq(exp) }`
			`end`

			it 'disallows other properties in `style` attribute on `a` elements' do
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`style = [allowed_style, 'position: fixed'].join(';')`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`doc = filter(%{<a href="#" style="#{style}">Stylish Link</a>})`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`expect(doc.at_css('a')['style']).to eq(allowed_style)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`
			`end`

			context 'allows `class` on `a` elements' do
			`let(:exp) { %q{<a href="#" class="btn">Button Link</a>} }`

			`it { is_expected.to eq(exp) }`
			`end`
			`end`
			`end`