diff options
Diffstat (limited to 'spec/frontend/notebook/cells/output/html_sanitize_fixtures.js')
| -rw-r--r-- | spec/frontend/notebook/cells/output/html_sanitize_fixtures.js | 174 |
1 files changed, 78 insertions, 96 deletions
diff --git a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js index a886715ce4b..0b585ab860b 100644 --- a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js +++ b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js @@ -1,114 +1,96 @@ +/** + * Jupyter notebooks handles the following data types + * that are to be handled by `html.vue` + * + * 'text/html'; + * 'image/svg+xml'; + * + * This file sets up fixtures for each of these types + * NOTE: The inputs are taken directly from data derived from the + * jupyter notebook file used to test nbview here: + * https://nbviewer.jupyter.org/github/ipython/ipython-in-depth/blob/master/examples/IPython%20Kernel/Rich%20Output.ipynb + */ + export default [ [ - 'protocol-based JS injection: simple, no spaces', + 'text/html table', { - input: `<a href="javascript:alert('XSS');">foo</a>`, - output: '<a>foo</a>', + input: [ + '<table>\n', + '<tr>\n', + '<th>Header 1</th>\n', + '<th>Header 2</th>\n', + '</tr>\n', + '<tr>\n', + '<td>row 1, cell 1</td>\n', + '<td>row 1, cell 2</td>\n', + '</tr>\n', + '<tr>\n', + '<td>row 2, cell 1</td>\n', + '<td>row 2, cell 2</td>\n', + '</tr>\n', + '</table>', + ].join(''), + output: '<table>', }, ], + // Note: style is sanitized out [ - 'protocol-based JS injection: simple, spaces before', + 'text/html style', { - input: `<a href="javascript :alert('XSS');">foo</a>`, - output: '<a>foo</a>', + input: [ + '<style type="text/css">\n', + '\n', + 'circle {\n', + ' fill: rgb(31, 119, 180);\n', + ' fill-opacity: .25;\n', + ' stroke: rgb(31, 119, 180);\n', + ' stroke-width: 1px;\n', + '}\n', + '\n', + '.leaf circle {\n', + ' fill: #ff7f0e;\n', + ' fill-opacity: 1;\n', + '}\n', + '\n', + 'text {\n', + ' font: 10px sans-serif;\n', + '}\n', + '\n', + '</style>', + ].join(''), + output: '<!---->', }, ], + // Note: iframe is sanitized out [ - 'protocol-based JS injection: simple, spaces after', + 'text/html iframe', { - input: `<a href="javascript: alert('XSS');">foo</a>`, - output: '<a>foo</a>', + input: [ + '\n', + ' <iframe\n', + ' width="400"\n', + ' height="300"\n', + ' src="https://www.youtube.com/embed/sjfsUzECqK0"\n', + ' frameborder="0"\n', + ' allowfullscreen\n', + ' ></iframe>\n', + ' ', + ].join(''), + output: '<!---->', }, ], [ - 'protocol-based JS injection: simple, spaces before and after', + 'image/svg+xml', { - input: `<a href="javascript : alert('XSS');">foo</a>`, - output: '<a>foo</a>', + input: [ + '<svg height="115.02pt" id="svg2" version="1.0" width="388.84pt" xmlns="http://www.w3.org/2000/svg">\n', + ' <g>\n', + ' <path d="M 184.61344,61.929363 C 184.61344,47.367213 180.46118,39.891193 172.15666,39.481813" style="fill:#646464;fill-opacity:1"/>\n', + ' </g>\n', + '</svg>', + ].join(), + output: '<svg height="115.02pt" id="svg2"', }, ], - [ - 'protocol-based JS injection: preceding colon', - { - input: `<a href=":javascript:alert('XSS');">foo</a>`, - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: UTF-8 encoding', - { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: long UTF-8 encoding', - { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: long UTF-8 encoding without semicolons', - { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: hex encoding', - { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: long hex encoding', - { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: hex encoding without semicolons', - { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: null char', - { - input: '<a href=java\u0000script:alert("XSS")>foo</a>', - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: invalid URL char', - { input: '<img src=javascript:alert("XSS")>', output: '<img>' }, - ], - [ - 'protocol-based JS injection: Unicode', - { - input: `<a href="\u0001java\u0003script:alert('XSS')">foo</a>`, - output: '<a>foo</a>', - }, - ], - [ - 'protocol-based JS injection: spaces and entities', - { - input: `<a href="  javascript:alert('XSS');">foo</a>`, - output: '<a>foo</a>', - }, - ], - [ - 'img on error', - { - input: '<img src="x" onerror="alert(document.domain)" />', - output: '<img src="x">', - }, - ], - ['style tags are removed', { input: '<style>.foo {}</style> Foo', output: 'Foo' }], ]; |