# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Banzai::Filter::SanitizationFilter do
include FilterSpecHelper
it_behaves_like 'default allowlist'
describe 'custom allowlist' do
it_behaves_like 'XSS prevention'
it_behaves_like 'sanitize link'
it 'customizes the allowlist only once' do
instance = described_class.new('Foo')
control_count = instance.allowlist[:transformers].size
3.times { instance.allowlist }
expect(instance.allowlist[:transformers].size).to eq control_count
end
it 'customizes the allowlist only once for different instances' do
instance1 = described_class.new('Foo1')
instance2 = described_class.new('Foo2')
control_count = instance1.allowlist[:transformers].size
instance1.allowlist
instance2.allowlist
expect(instance1.allowlist[:transformers].size).to eq control_count
expect(instance2.allowlist[:transformers].size).to eq control_count
end
it 'sanitizes `class` attribute from all elements' do
act = %q(
<span class="k">def</span>
)
exp = %q(<span class="k">def</span>
)
expect(filter(act).to_html).to eq exp
end
it 'sanitizes `class` attribute from non-highlight spans' do
act = %q(def)
expect(filter(act).to_html).to eq %q(def)
end
it 'allows `text-align` property in `style` attribute on table elements' do
html = <<~HTML
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to eq 'text-align: center'
expect(doc.at_css('td')['style']).to eq 'text-align: right'
end
it 'disallows other properties in `style` attribute on table elements' do
html = <<~HTML
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to be_nil
expect(doc.at_css('td')['style']).to eq 'text-align: center'
end
it 'disallows `text-align` property in `style` attribute on other elements' do
html = <<~HTML
Text
HTML
doc = filter(html)
expect(doc.at_css('div')['style']).to be_nil
end
it 'allows `span` elements' do
exp = act = %q(Hello)
expect(filter(act).to_html).to eq exp
end
it 'allows `abbr` elements' do
exp = act = %q(HTML)
expect(filter(act).to_html).to eq exp
end
it 'disallows the `name` attribute globally, allows on `a`' do
html = <<~HTML
Hi
Bye
HTML
doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name')
expect(doc.at_css('a')).to have_attribute('name')
end
it 'allows `summary` elements' do
exp = act = 'summary line'
expect(filter(act).to_html).to eq exp
end
it 'allows `details` elements' do
exp = act = 'long text goes here '
expect(filter(act).to_html).to eq exp
end
it 'allows `data-math-style` attribute on `code` and `pre` elements' do
html = <<-HTML
something
something
something
HTML
output = <<-HTML
something
something
something
HTML
expect(filter(html).to_html).to eq(output)
end
it 'allows the `data-sourcepos` attribute globally' do
exp = %q(foo/bar.md
)
act = filter(exp)
expect(act.to_html).to eq exp
end
describe 'footnotes' do
it 'allows correct footnote id property on links' do
exp = %q(foo/bar.md)
act = filter(exp)
expect(act.to_html).to eq exp
end
it 'allows correct footnote id property on li element' do
exp = %q(- footnote
)
act = filter(exp)
expect(act.to_html).to eq exp
end
it 'removes invalid id for footnote links' do
exp = %q(link)
%w[fnrefx test xfnref1].each do |id|
act = filter(%(link))
expect(act.to_html).to eq exp
end
end
it 'removes invalid id for footnote li' do
exp = %q(- footnote
)
%w[fnx test xfn1].each do |id|
act = filter(%(- footnote
))
expect(act.to_html).to eq exp
end
end
it 'allows footnotes numbered higher than 9' do
exp = %q(link- footnote
)
act = filter(exp)
expect(act.to_html).to eq exp
end
end
end
end