github.com/gitbundle/modules@v0.0.0-20231025071548-85b91c5c3b01/markup/sanitizer_test.go

github.com/gitbundle/modules@v0.0.0-20231025071548-85b91c5c3b01/markup/sanitizer_test.go (about)

     1  // Copyright 2023 The GitBundle Inc. All rights reserved.
     2  // Copyright 2017 The Gitea Authors. All rights reserved.
     3  // Use of this source code is governed by a MIT-style
     4  // license that can be found in the LICENSE file.
     5  
     6  // Copyright 2017 The GitBundle Authors. All rights reserved.
     7  // Copyright 2017 The Gogs Authors. All rights reserved.
     8  // Use of this source code is governed by a MIT-style
     9  // license that can be found in the LICENSE file.
    10  
    11  package markup
    12  
    13  import (
    14  	"html/template"
    15  	"strings"
    16  	"testing"
    17  
    18  	"github.com/stretchr/testify/assert"
    19  )
    20  
    21  func Test_Sanitizer(t *testing.T) {
    22  	NewSanitizer()
    23  	testCases := []string{
    24  		// Regular
    25  		`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`,
    26  
    27  		// Code highlighting class
    28  		`<code class="random string"></code>`, `<code></code>`,
    29  		`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,
    30  		`<code class="language-go"></code>`, `<code class="language-go"></code>`,
    31  
    32  		// Input checkbox
    33  		`<input type="hidden">`, ``,
    34  		`<input type="checkbox">`, `<input type="checkbox">`,
    35  		`<input checked disabled autofocus>`, `<input checked="" disabled="">`,
    36  
    37  		// Code highlight injection
    38  		`<code class="language-random&#32;ui&#32;tab&#32;active&#32;menu&#32;attached&#32;animating&#32;sidebar&#32;following&#32;bar&#32;center"></code>`, `<code></code>`,
    39  		`<code class="language-lol&#32;ui&#32;tab&#32;active&#32;menu&#32;attached&#32;animating&#32;sidebar&#32;following&#32;bar&#32;center">
    40  <code class="language-lol&#32;ui&#32;container&#32;input&#32;huge&#32;basic&#32;segment&#32;center">&nbsp;</code>
    41  <img src="https://try.gogs.io/img/favicon.png" width="200" height="200">
    42  <code class="language-lol&#32;ui&#32;container&#32;input&#32;massive&#32;basic&#32;segment">Hello there! Something has gone wrong, we are working on it.</code>
    43  <code class="language-lol&#32;ui&#32;container&#32;input&#32;huge&#32;basic&#32;segment">In the meantime, play a game with us at&nbsp;<a href="http://example.com/">example.com</a>.</code>
    44  </code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>",
    45  
    46  		// <kbd> tags
    47  		`<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`,
    48  		`<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`,
    49  		`<i class="icon dropdown"></i>`, `<i class="icon dropdown"></i>`,
    50  		`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,
    51  		`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,
    52  		`<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`,
    53  	}
    54  
    55  	for i := 0; i < len(testCases); i += 2 {
    56  		assert.Equal(t, testCases[i+1], Sanitize(testCases[i]))
    57  	}
    58  }
    59  
    60  func TestSanitizeNonEscape(t *testing.T) {
    61  	descStr := "<scrİpt>&lt;script&gt;alert(document.domain)&lt;/script&gt;</scrİpt>"
    62  
    63  	output := template.HTML(Sanitize(string(descStr)))
    64  	if strings.Contains(string(output), "<script>") {
    65  		t.Errorf("un-escaped <script> in output: %q", output)
    66  	}
    67  }