require 'spec_helper'
describe Banzai::Filter::SanitizationFilter do
include FilterSpecHelper
describe 'default whitelist' do
it 'sanitizes tags that are not whitelisted' do
act = %q{ and }
exp = 'no inputs and no blinks'
expect(filter(act).to_html).to eq exp
end
it 'sanitizes tag attributes' do
act = %q{Text}
exp = %q{Text}
expect(filter(act).to_html).to eq exp
end
it 'sanitizes javascript in attributes' do
act = %q(Text)
exp = 'Text'
expect(filter(act).to_html).to eq exp
end
it 'sanitizes mixed-cased javascript in attributes' do
act = %q(Text)
exp = 'Text'
expect(filter(act).to_html).to eq exp
end
it 'allows whitelisted HTML tags from the user' do
exp = act = "
\n- Term
\n- Definition
\n
"
expect(filter(act).to_html).to eq exp
end
it 'sanitizes `class` attribute on any element' do
act = %q{Strong}
expect(filter(act).to_html).to eq %q{Strong}
end
it 'sanitizes `id` attribute on any element' do
act = %q{Emphasis}
expect(filter(act).to_html).to eq %q{Emphasis}
end
end
describe 'custom whitelist' do
it 'customizes the whitelist only once' do
instance = described_class.new('Foo')
control_count = instance.whitelist[:transformers].size
3.times { instance.whitelist }
expect(instance.whitelist[:transformers].size).to eq control_count
end
it 'customizes the whitelist only once for different instances' do
instance1 = described_class.new('Foo1')
instance2 = described_class.new('Foo2')
control_count = instance1.whitelist[:transformers].size
instance1.whitelist
instance2.whitelist
expect(instance1.whitelist[:transformers].size).to eq control_count
expect(instance2.whitelist[:transformers].size).to eq control_count
end
it 'sanitizes `class` attribute from all elements' do
act = %q{<span class="k">def</span>
}
exp = %q{<span class="k">def</span>
}
expect(filter(act).to_html).to eq exp
end
it 'sanitizes `class` attribute from non-highlight spans' do
act = %q{def}
expect(filter(act).to_html).to eq %q{def}
end
it 'allows `text-align` property in `style` attribute on table elements' do
html = <<~HTML
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to eq 'text-align: center'
expect(doc.at_css('td')['style']).to eq 'text-align: right'
end
it 'disallows other properties in `style` attribute on table elements' do
html = <<~HTML
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to be_nil
expect(doc.at_css('td')['style']).to eq 'text-align: center'
end
it 'disallows `text-align` property in `style` attribute on other elements' do
html = <<~HTML
Text
HTML
doc = filter(html)
expect(doc.at_css('div')['style']).to be_nil
end
it 'allows `span` elements' do
exp = act = %q{Hello}
expect(filter(act).to_html).to eq exp
end
it 'allows `abbr` elements' do
exp = act = %q{HTML}
expect(filter(act).to_html).to eq exp
end
it 'disallows the `name` attribute globally, allows on `a`' do
html = <<~HTML
Hi
Bye
HTML
doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name')
expect(doc.at_css('a')).to have_attribute('name')
end
it 'allows `summary` elements' do
exp = act = 'summary line'
expect(filter(act).to_html).to eq exp
end
it 'allows `details` elements' do
exp = act = 'long text goes here '
expect(filter(act).to_html).to eq exp
end
it 'allows `data-math-style` attribute on `code` and `pre` elements' do
html = <<-HTML
something
something
something
HTML
output = <<-HTML
something
something
something
HTML
expect(filter(html).to_html).to eq(output)
end
it 'removes `rel` attribute from `a` elements' do
act = %q{Link}
exp = %q{Link}
expect(filter(act).to_html).to eq exp
end
# Adapted from the Sanitize test suite: http://git.io/vczrM
protocols = {
'protocol-based JS injection: simple, no spaces' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: simple, spaces before' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: simple, spaces after' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: simple, spaces before and after' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: preceding colon' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: UTF-8 encoding' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: long UTF-8 encoding' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: long UTF-8 encoding without semicolons' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: hex encoding' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: long hex encoding' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: hex encoding without semicolons' => {
input: 'foo',
output: 'foo'
},
'protocol-based JS injection: null char' => {
input: "foo",
output: ''
},
'protocol-based JS injection: invalid URL char' => {
input: '',
output: ''
},
'protocol-based JS injection: Unicode' => {
input: %Q(foo),
output: 'foo'
},
'protocol-based JS injection: spaces and entities' => {
input: 'foo',
output: 'foo'
},
'protocol whitespace' => {
input: '',
output: ''
}
}
protocols.each do |name, data|
it "disallows #{name}" do
doc = filter(data[:input])
expect(doc.to_html).to eq data[:output]
end
end
it 'disallows data links' do
input = 'XSS'
output = filter(input)
expect(output.to_html).to eq 'XSS'
end
it 'disallows vbscript links' do
input = 'XSS'
output = filter(input)
expect(output.to_html).to eq 'XSS'
end
it 'disallows invalid URIs' do
expect(Addressable::URI).to receive(:parse).with('foo://example.com')
.and_raise(Addressable::URI::InvalidURIError)
input = 'Foo'
output = filter(input)
expect(output.to_html).to eq 'Foo'
end
it 'allows non-standard anchor schemes' do
exp = %q{IRC}
act = filter(exp)
expect(act.to_html).to eq exp
end
it 'allows relative links' do
exp = %q{foo/bar.md}
act = filter(exp)
expect(act.to_html).to eq exp
end
end
end