code.gitea.io/gitea@v1.19.3/modules/markup/sanitizer_test.go (about) 1 // Copyright 2017 The Gitea Authors. All rights reserved. 2 // Copyright 2017 The Gogs Authors. All rights reserved. 3 // SPDX-License-Identifier: MIT 4 5 package markup 6 7 import ( 8 "html/template" 9 "strings" 10 "testing" 11 12 "github.com/stretchr/testify/assert" 13 ) 14 15 func Test_Sanitizer(t *testing.T) { 16 NewSanitizer() 17 testCases := []string{ 18 // Regular 19 `<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`, 20 21 // Code highlighting class 22 `<code class="random string"></code>`, `<code></code>`, 23 `<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`, 24 `<code class="language-go"></code>`, `<code class="language-go"></code>`, 25 26 // Input checkbox 27 `<input type="hidden">`, ``, 28 `<input type="checkbox">`, `<input type="checkbox">`, 29 `<input checked disabled autofocus>`, `<input checked="" disabled="">`, 30 31 // Code highlight injection 32 `<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`, 33 `<code class="language-lol ui tab active menu attached animating sidebar following bar center"> 34 <code class="language-lol ui container input huge basic segment center"> </code> 35 <img src="https://try.gogs.io/img/favicon.png" width="200" height="200"> 36 <code class="language-lol ui container input massive basic segment">Hello there! Something has gone wrong, we are working on it.</code> 37 <code class="language-lol ui container input huge basic segment">In the meantime, play a game with us at <a href="http://example.com/">example.com</a>.</code> 38 </code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>", 39 40 // <kbd> tags 41 `<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`, 42 `<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`, 43 `<i class="icon dropdown"></i>`, `<i class="icon dropdown"></i>`, 44 `<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`, 45 `<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`, 46 `<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`, 47 48 // Color property 49 `<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`, 50 `<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`, 51 `<code style="color: red">Hello World</code>`, `<code>Hello World</code>`, 52 `<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`, 53 `<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`, 54 `<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`, 55 } 56 57 for i := 0; i < len(testCases); i += 2 { 58 assert.Equal(t, testCases[i+1], Sanitize(testCases[i])) 59 } 60 } 61 62 func TestSanitizeNonEscape(t *testing.T) { 63 descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>" 64 65 output := template.HTML(Sanitize(descStr)) 66 if strings.Contains(string(output), "<script>") { 67 t.Errorf("un-escaped <script> in output: %q", output) 68 } 69 }