diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-08-20 18:42:06 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-08-20 18:42:06 +0000 |
commit | 6e4e1050d9dba2b7b2523fdd1768823ab85feef4 (patch) | |
tree | 78be5963ec075d80116a932011d695dd33910b4e /spec/frontend/notebook/cells/output/html_sanitize_fixtures.js | |
parent | 1ce776de4ae122aba3f349c02c17cebeaa8ecf07 (diff) | |
download | gitlab-ce-6e4e1050d9dba2b7b2523fdd1768823ab85feef4.tar.gz |
Add latest changes from gitlab-org/gitlab@13-3-stable-ee
Diffstat (limited to 'spec/frontend/notebook/cells/output/html_sanitize_fixtures.js')
-rw-r--r-- | spec/frontend/notebook/cells/output/html_sanitize_fixtures.js | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js new file mode 100644 index 00000000000..a886715ce4b --- /dev/null +++ b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js @@ -0,0 +1,114 @@ +export default [ + [ + 'protocol-based JS injection: simple, no spaces', + { + input: `<a href="javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces before', + { + input: `<a href="javascript :alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces after', + { + input: `<a href="javascript: alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces before and after', + { + input: `<a href="javascript : alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: preceding colon', + { + input: `<a href=":javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: UTF-8 encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long UTF-8 encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long UTF-8 encoding without semicolons', + { + input: + '<a href=javascript:alert('XSS')>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: hex encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long hex encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: hex encoding without semicolons', + { + input: + '<a href=javascript:alert('XSS')>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: null char', + { + input: '<a href=java\u0000script:alert("XSS")>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: invalid URL char', + { input: '<img src=javascript:alert("XSS")>', output: '<img>' }, + ], + [ + 'protocol-based JS injection: Unicode', + { + input: `<a href="\u0001java\u0003script:alert('XSS')">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: spaces and entities', + { + input: `<a href="  javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'img on error', + { + input: '<img src="x" onerror="alert(document.domain)" />', + output: '<img src="x">', + }, + ], + ['style tags are removed', { input: '<style>.foo {}</style> Foo', output: 'Foo' }], +]; |