go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/common/data/text/sanitizehtml/sanitize_test.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/common/data/text/sanitizehtml/sanitize_test.go (about)

     1  // Copyright 2017 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package sanitizehtml
    16  
    17  import (
    18  	"bytes"
    19  	"strings"
    20  	"testing"
    21  
    22  	. "github.com/smartystreets/goconvey/convey"
    23  )
    24  
    25  func TestSanitize(t *testing.T) {
    26  	t.Parallel()
    27  
    28  	cases := []struct {
    29  		in, out string
    30  	}{
    31  		// Scripts
    32  		{
    33  			`<script src="evil.js"/>`,
    34  			``,
    35  		},
    36  
    37  		// Paragraphs
    38  		{
    39  			`<p style="font-size: 100">hi</p>`,
    40  			`<p>hi</p>`,
    41  		},
    42  		{
    43  			`<P>hi</P>`,
    44  			`<p>hi</p>`,
    45  		},
    46  		{
    47  			`a<br>b`,
    48  			`a<br>b`,
    49  		},
    50  
    51  		// Lists
    52  		{
    53  			`<ul foo="bar">
    54  				<li x="y">a</li>
    55  				<li>a</li>
    56  			</ul>`,
    57  			`<ul>
    58  				<li>a</li>
    59  				<li>a</li>
    60  			</ul>`,
    61  		},
    62  
    63  		// Links
    64  		{
    65  			`<a href="https://ci.chromium.org" alt="x">link</a>`,
    66  			`<a rel="noopener" target="_blank" href="https://ci.chromium.org" alt="x">link</a>`,
    67  		},
    68  		{
    69  			`<a href="javascript:evil.js">link</a>`,
    70  			`<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme">link</a>`,
    71  		},
    72  		{
    73  			`<a href="about:blank">link</a>`,
    74  			`<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme">link</a>`,
    75  		},
    76  		{
    77  			`<a href="%">link</a>`,
    78  			`<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=malformed-url">link</a>`,
    79  		},
    80  		{
    81  			`<a href="/foo">link</a>`,
    82  			`<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme">link</a>`,
    83  		},
    84  		{
    85  			`<a href="https:///foo">link</a>`,
    86  			`<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=relative-url">link</a>`,
    87  		},
    88  		{
    89  			`<<a href=abc>`,
    90  			`&lt;<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme"></a>`,
    91  		},
    92  
    93  		// Other
    94  		{
    95  			`<div><strong>hello</strong></div>`,
    96  			`<strong>hello</strong>`,
    97  		},
    98  		{
    99  			`&lt;`,
   100  			`&lt;`,
   101  		},
   102  		{
   103  			`&foobar;`,
   104  			`&amp;foobar;`,
   105  		},
   106  		{
   107  			`<div><p>foo</p>`,
   108  			`<p>foo</p>`,
   109  		},
   110  		{
   111  			`<p></a alt="blah"></p>`,
   112  			`<p></p>`,
   113  		},
   114  		{
   115  			`<p><a>blah</p></a>`,
   116  			`<p><a rel="noopener" target="_blank">blah</a></p>`,
   117  		},
   118  	}
   119  
   120  	for _, c := range cases {
   121  		c := c
   122  		Convey(c.in, t, func() {
   123  			buf := &bytes.Buffer{}
   124  			err := Sanitize(buf, strings.NewReader(c.in))
   125  			So(err, ShouldBeNil)
   126  			So(buf.String(), ShouldEqual, c.out)
   127  		})
   128  	}
   129  }