github.com/insionng/yougam@v0.0.0-20170714101924-2bc18d833463/libraries/bluemonday/policies_test.go (about) 1 // Copyright (c) 2014, David Kitchen <david@buro9.com> 2 // 3 // All rights reserved. 4 // 5 // Redistribution and use in source and binary forms, with or without 6 // modification, are permitted provided that the following conditions are met: 7 // 8 // * Redistributions of source code must retain the above copyright notice, this 9 // list of conditions and the following disclaimer. 10 // 11 // * Redistributions in binary form must reproduce the above copyright notice, 12 // this list of conditions and the following disclaimer in the documentation 13 // and/or other materials provided with the distribution. 14 // 15 // * Neither the name of the organisation (Microcosm) nor the names of its 16 // contributors may be used to endorse or promote products derived from 17 // this software without specific prior written permission. 18 // 19 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 23 // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 25 // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 30 package bluemonday 31 32 import "testing" 33 34 func TestStrictPolicy(t *testing.T) { 35 36 p := StrictPolicy() 37 38 tests := []test{ 39 test{ 40 in: "Hello, <b>World</b>!", 41 expected: "Hello, World!", 42 }, 43 test{ 44 in: "<blockquote>Hello, <b>World</b>!", 45 expected: "Hello, World!", 46 }, 47 test{ // Real world example from a message board 48 in: `<quietly>email me - addy in profile</quiet>`, 49 expected: `email me - addy in profile`, 50 }, 51 test{}, 52 } 53 54 for ii, test := range tests { 55 out := p.Sanitize(test.in) 56 if out != test.expected { 57 t.Errorf( 58 "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", 59 ii, 60 test.in, 61 out, 62 test.expected, 63 ) 64 } 65 } 66 } 67 68 func TestUGCPolicy(t *testing.T) { 69 70 tests := []test{ 71 // Simple formatting 72 test{in: "Hello, World!", expected: "Hello, World!"}, 73 test{in: "Hello, <b>World</b>!", expected: "Hello, <b>World</b>!"}, 74 // Blocks and formatting 75 test{ 76 in: "<p>Hello, <b onclick=alert(1337)>World</b>!</p>", 77 expected: "<p>Hello, <b>World</b>!</p>", 78 }, 79 test{ 80 in: "<p onclick=alert(1337)>Hello, <b>World</b>!</p>", 81 expected: "<p>Hello, <b>World</b>!</p>", 82 }, 83 // Inline tags featuring globals 84 test{ 85 in: `<a href="http://example.org/" rel="nofollow">Hello, <b>World</b></a><a href="https://example.org/#!" rel="nofollow">!</a>`, 86 expected: `<a href="http://example.org/" rel="nofollow">Hello, <b>World</b></a><a href="https://example.org/#%21" rel="nofollow">!</a>`, 87 }, 88 test{ 89 in: `Hello, <b>World</b><a title="!" href="https://example.org/#!" rel="nofollow">!</a>`, 90 expected: `Hello, <b>World</b><a title="!" href="https://example.org/#%21" rel="nofollow">!</a>`, 91 }, 92 // Images 93 test{ 94 in: `<a href="javascript:alert(1337)">foo</a>`, 95 expected: `foo`, 96 }, 97 test{ 98 in: `<img src="http://example.org/foo.gif">`, 99 expected: `<img src="http://example.org/foo.gif">`, 100 }, 101 test{ 102 in: `<img src="http://example.org/x.gif" alt="y" width=96 height=64 border=0>`, 103 expected: `<img src="http://example.org/x.gif" alt="y" width="96" height="64">`, 104 }, 105 test{ 106 in: `<img src="http://example.org/x.png" alt="y" width="widgy" height=64 border=0>`, 107 expected: `<img src="http://example.org/x.png" alt="y" height="64">`, 108 }, 109 // Anchors 110 test{ 111 in: `<a href="foo.html">Link text</a>`, 112 expected: `<a href="foo.html" rel="nofollow">Link text</a>`, 113 }, 114 test{ 115 in: `<a href="foo.html" onclick="alert(1337)">Link text</a>`, 116 expected: `<a href="foo.html" rel="nofollow">Link text</a>`, 117 }, 118 test{ 119 in: `<a href="http://example.org/x.html" onclick="alert(1337)">Link text</a>`, 120 expected: `<a href="http://example.org/x.html" rel="nofollow">Link text</a>`, 121 }, 122 test{ 123 in: `<a href="https://example.org/x.html" onclick="alert(1337)">Link text</a>`, 124 expected: `<a href="https://example.org/x.html" rel="nofollow">Link text</a>`, 125 }, 126 test{ 127 in: `<a href="HTTPS://example.org/x.html" onclick="alert(1337)">Link text</a>`, 128 expected: `<a href="https://example.org/x.html" rel="nofollow">Link text</a>`, 129 }, 130 test{ 131 in: `<a href="//example.org/x.html" onclick="alert(1337)">Link text</a>`, 132 expected: `<a href="//example.org/x.html" rel="nofollow">Link text</a>`, 133 }, 134 test{ 135 in: `<a href="javascript:alert(1337).html" onclick="alert(1337)">Link text</a>`, 136 expected: `Link text`, 137 }, 138 test{ 139 in: `<a name="header" id="header">Header text</a>`, 140 expected: `<a id="header">Header text</a>`, 141 }, 142 // Tables 143 test{ 144 in: `<table style="color: rgb(0, 0, 0);">` + 145 `<tbody>` + 146 `<tr>` + 147 `<th>Column One</th><th>Column Two</th>` + 148 `</tr>` + 149 `<tr>` + 150 `<td align="center"` + 151 ` style="background-color: rgb(255, 255, 254);">` + 152 `<font size="2">Size 2</font></td>` + 153 `<td align="center"` + 154 ` style="background-color: rgb(255, 255, 254);">` + 155 `<font size="7">Size 7</font></td>` + 156 `</tr>` + 157 `</tbody>` + 158 `</table>`, 159 expected: "" + 160 `<table>` + 161 `<tbody>` + 162 `<tr>` + 163 `<th>Column One</th><th>Column Two</th>` + 164 `</tr>` + 165 `<tr>` + 166 `<td align="center">Size 2</td>` + 167 `<td align="center">Size 7</td>` + 168 `</tr>` + 169 `</tbody>` + 170 `</table>`, 171 }, 172 // Ordering 173 test{ 174 in: `xss<a href="http://www.google.de" style="color:red;" onmouseover=alert(1) onmousemove="alert(2)" onclick=alert(3)>g<img src="http://example.org"/>oogle</a>`, 175 expected: `xss<a href="http://www.google.de" rel="nofollow">g<img src="http://example.org"/>oogle</a>`, 176 }, 177 // OWASP 25 June 2014 09:15 Strange behaviour 178 test{ 179 in: "<table>Hallo\r\n<script>SCRIPT</script>\nEnde\n\r", 180 expected: "<table>Hallo\n\nEnde\n\n", 181 }, 182 } 183 184 p := UGCPolicy() 185 186 for ii, test := range tests { 187 out := p.Sanitize(test.in) 188 if out != test.expected { 189 t.Errorf( 190 "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", 191 ii, 192 test.in, 193 out, 194 test.expected, 195 ) 196 } 197 } 198 }