diff options
Diffstat (limited to 'spec/frontend/notebook/cells/output/html_sanitize_tests.js')
-rw-r--r-- | spec/frontend/notebook/cells/output/html_sanitize_tests.js | 68 |
1 files changed, 0 insertions, 68 deletions
diff --git a/spec/frontend/notebook/cells/output/html_sanitize_tests.js b/spec/frontend/notebook/cells/output/html_sanitize_tests.js deleted file mode 100644 index 74c48f04367..00000000000 --- a/spec/frontend/notebook/cells/output/html_sanitize_tests.js +++ /dev/null @@ -1,68 +0,0 @@ -export default { - 'protocol-based JS injection: simple, no spaces': { - input: '<a href="javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces before': { - input: '<a href="javascript :alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces after': { - input: '<a href="javascript: alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces before and after': { - input: '<a href="javascript : alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: preceding colon': { - input: '<a href=":javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: UTF-8 encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long UTF-8 encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long UTF-8 encoding without semicolons': { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: hex encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long hex encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: hex encoding without semicolons': { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: null char': { - input: '<a href=java\0script:alert("XSS")>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: invalid URL char': { - input: '<img src=javascript:alert("XSS")>', - output: '<img>', - }, - 'protocol-based JS injection: Unicode': { - input: '<a href="\u0001java\u0003script:alert(\'XSS\')">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: spaces and entities': { - input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'img on error': { - input: '<img src="x" onerror="alert(document.domain)" />', - output: '<img src="x">', - }, -}; |