diff options
Diffstat (limited to 'spec/lib/banzai/filter/sanitization_filter_spec.rb')
| -rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 180 |
1 files changed, 4 insertions, 176 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 8a4b819e4d6..607dc3fda47 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -5,48 +5,12 @@ require 'spec_helper' describe Banzai::Filter::SanitizationFilter do include FilterSpecHelper - describe 'default whitelist' do - it 'sanitizes tags that are not whitelisted' do - act = %q{<textarea>no inputs</textarea> and <blink>no blinks</blink>} - exp = 'no inputs and no blinks' - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes tag attributes' do - act = %q{<a href="http://example.com/bar.html" onclick="bar">Text</a>} - exp = %q{<a href="http://example.com/bar.html">Text</a>} - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes javascript in attributes' do - act = %q(<a href="javascript:alert('foo')">Text</a>) - exp = '<a>Text</a>' - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes mixed-cased javascript in attributes' do - act = %q(<a href="javaScript:alert('foo')">Text</a>) - exp = '<a>Text</a>' - expect(filter(act).to_html).to eq exp - end - - it 'allows whitelisted HTML tags from the user' do - exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>" - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes `class` attribute on any element' do - act = %q{<strong class="foo">Strong</strong>} - expect(filter(act).to_html).to eq %q{<strong>Strong</strong>} - end - - it 'sanitizes `id` attribute on any element' do - act = %q{<em id="foo">Emphasis</em>} - expect(filter(act).to_html).to eq %q{<em>Emphasis</em>} - end - end + it_behaves_like 'default whitelist' describe 'custom whitelist' do + it_behaves_like 'XSS prevention' + it_behaves_like 'sanitize link' + it 'customizes the whitelist only once' do instance = described_class.new('Foo') control_count = instance.whitelist[:transformers].size @@ -167,142 +131,6 @@ describe Banzai::Filter::SanitizationFilter do expect(filter(html).to_html).to eq(output) end - it 'removes `rel` attribute from `a` elements' do - act = %q{<a href="#" rel="nofollow">Link</a>} - exp = %q{<a href="#">Link</a>} - - expect(filter(act).to_html).to eq exp - end - - # Adapted from the Sanitize test suite: http://git.io/vczrM - protocols = { - 'protocol-based JS injection: simple, no spaces' => { - input: '<a href="javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces before' => { - input: '<a href="javascript :alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces after' => { - input: '<a href="javascript: alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces before and after' => { - input: '<a href="javascript : alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: preceding colon' => { - input: '<a href=":javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long UTF-8 encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: hex encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long hex encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: hex encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: null char' => { - input: "<a href=java\0script:alert(\"XSS\")>foo</a>", - output: '<a href="java"></a>' - }, - - 'protocol-based JS injection: invalid URL char' => { - input: '<img src=java\script:alert("XSS")>', - output: '<img>' - }, - - 'protocol-based JS injection: Unicode' => { - input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>), - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: spaces and entities' => { - input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a href="">foo</a>' - }, - - 'protocol whitespace' => { - input: '<a href=" http://example.com/"></a>', - output: '<a href="http://example.com/"></a>' - } - } - - protocols.each do |name, data| - it "disallows #{name}" do - doc = filter(data[:input]) - - expect(doc.to_html).to eq data[:output] - end - end - - it 'disallows data links' do - input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>XSS</a>' - end - - it 'disallows vbscript links' do - input = '<a href="vbscript:alert(document.domain)">XSS</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>XSS</a>' - end - - it 'disallows invalid URIs' do - expect(Addressable::URI).to receive(:parse).with('foo://example.com') - .and_raise(Addressable::URI::InvalidURIError) - - input = '<a href="foo://example.com">Foo</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>Foo</a>' - end - - it 'allows non-standard anchor schemes' do - exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>} - act = filter(exp) - - expect(act.to_html).to eq exp - end - - it 'allows relative links' do - exp = %q{<a href="foo/bar.md">foo/bar.md</a>} - act = filter(exp) - - expect(act.to_html).to eq exp - end - it 'allows the `data-sourcepos` attribute globally' do exp = %q{<p data-sourcepos="1:1-1:10">foo/bar.md</p>} act = filter(exp) |