# frozen_string_literal: true require 'spec_helper' describe Banzai::Filter::SanitizationFilter do include FilterSpecHelper describe 'default whitelist' do it 'sanitizes tags that are not whitelisted' do act = %q{ and no blinks} exp = 'no inputs and no blinks' expect(filter(act).to_html).to eq exp end it 'sanitizes tag attributes' do act = %q{Text} exp = %q{Text} expect(filter(act).to_html).to eq exp end it 'sanitizes javascript in attributes' do act = %q(Text) exp = 'Text' expect(filter(act).to_html).to eq exp end it 'sanitizes mixed-cased javascript in attributes' do act = %q(Text) exp = 'Text' expect(filter(act).to_html).to eq exp end it 'allows whitelisted HTML tags from the user' do exp = act = "
\n
Term
\n
Definition
\n
" expect(filter(act).to_html).to eq exp end it 'sanitizes `class` attribute on any element' do act = %q{Strong} expect(filter(act).to_html).to eq %q{Strong} end it 'sanitizes `id` attribute on any element' do act = %q{Emphasis} expect(filter(act).to_html).to eq %q{Emphasis} end end describe 'custom whitelist' do it 'customizes the whitelist only once' do instance = described_class.new('Foo') control_count = instance.whitelist[:transformers].size 3.times { instance.whitelist } expect(instance.whitelist[:transformers].size).to eq control_count end it 'customizes the whitelist only once for different instances' do instance1 = described_class.new('Foo1') instance2 = described_class.new('Foo2') control_count = instance1.whitelist[:transformers].size instance1.whitelist instance2.whitelist expect(instance1.whitelist[:transformers].size).to eq control_count expect(instance2.whitelist[:transformers].size).to eq control_count end it 'sanitizes `class` attribute from all elements' do act = %q{
<span class="k">def</span>
} exp = %q{
<span class="k">def</span>
} expect(filter(act).to_html).to eq exp end it 'sanitizes `class` attribute from non-highlight spans' do act = %q{def} expect(filter(act).to_html).to eq %q{def} end it 'allows `text-align` property in `style` attribute on table elements' do html = <<~HTML
Head
Body
HTML doc = filter(html) expect(doc.at_css('th')['style']).to eq 'text-align: center' expect(doc.at_css('td')['style']).to eq 'text-align: right' end it 'disallows other properties in `style` attribute on table elements' do html = <<~HTML
Head
Body
HTML doc = filter(html) expect(doc.at_css('th')['style']).to be_nil expect(doc.at_css('td')['style']).to eq 'text-align: center' end it 'disallows `text-align` property in `style` attribute on other elements' do html = <<~HTML
Text
HTML doc = filter(html) expect(doc.at_css('div')['style']).to be_nil end it 'allows `span` elements' do exp = act = %q{Hello} expect(filter(act).to_html).to eq exp end it 'allows `abbr` elements' do exp = act = %q{HTML} expect(filter(act).to_html).to eq exp end it 'disallows the `name` attribute globally, allows on `a`' do html = <<~HTML Hi Bye HTML doc = filter(html) expect(doc.at_css('img')).not_to have_attribute('name') expect(doc.at_css('span')).not_to have_attribute('name') expect(doc.at_css('a')).to have_attribute('name') end it 'allows `summary` elements' do exp = act = 'summary line' expect(filter(act).to_html).to eq exp end it 'allows `details` elements' do exp = act = '
long text goes here
' expect(filter(act).to_html).to eq exp end it 'allows `data-math-style` attribute on `code` and `pre` elements' do html = <<-HTML 
something
something
something
HTML output = <<-HTML 
something
something
something
HTML expect(filter(html).to_html).to eq(output) end it 'removes `rel` attribute from `a` elements' do act = %q{Link} exp = %q{Link} expect(filter(act).to_html).to eq exp end # Adapted from the Sanitize test suite: http://git.io/vczrM protocols = { 'protocol-based JS injection: simple, no spaces' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: simple, spaces before' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: simple, spaces after' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: simple, spaces before and after' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: preceding colon' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: UTF-8 encoding' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: long UTF-8 encoding' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: long UTF-8 encoding without semicolons' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: hex encoding' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: long hex encoding' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: hex encoding without semicolons' => { input: 'foo', output: 'foo' }, 'protocol-based JS injection: null char' => { input: "foo", output: '' }, 'protocol-based JS injection: invalid URL char' => { input: '', output: '' }, 'protocol-based JS injection: Unicode' => { input: %Q(foo), output: 'foo' }, 'protocol-based JS injection: spaces and entities' => { input: 'foo', output: 'foo' }, 'protocol whitespace' => { input: '', output: '' } } protocols.each do |name, data| it "disallows #{name}" do doc = filter(data[:input]) expect(doc.to_html).to eq data[:output] end end it 'disallows data links' do input = 'XSS' output = filter(input) expect(output.to_html).to eq 'XSS' end it 'disallows vbscript links' do input = 'XSS' output = filter(input) expect(output.to_html).to eq 'XSS' end it 'disallows invalid URIs' do expect(Addressable::URI).to receive(:parse).with('foo://example.com') .and_raise(Addressable::URI::InvalidURIError) input = 'Foo' output = filter(input) expect(output.to_html).to eq 'Foo' end it 'allows non-standard anchor schemes' do exp = %q{IRC} act = filter(exp) expect(act.to_html).to eq exp end it 'allows relative links' do exp = %q{foo/bar.md} act = filter(exp) expect(act.to_html).to eq exp end it 'allows the `data-sourcepos` attribute globally' do exp = %q{

foo/bar.md

} act = filter(exp) expect(act.to_html).to eq exp end describe 'footnotes' do it 'allows correct footnote id property on links' do exp = %q{foo/bar.md} act = filter(exp) expect(act.to_html).to eq exp end it 'allows correct footnote id property on li element' do exp = %q{
  1. footnote
} act = filter(exp) expect(act.to_html).to eq exp end it 'removes invalid id for footnote links' do exp = %q{link} %w[fnrefx test xfnref1].each do |id| act = filter(%Q{link}) expect(act.to_html).to eq exp end end it 'removes invalid id for footnote li' do exp = %q{
  1. footnote
} %w[fnx test xfn1].each do |id| act = filter(%Q{
  1. footnote
}) expect(act.to_html).to eq exp end end it 'allows footnotes numbered higher than 9' do exp = %q{link
  1. footnote
} act = filter(exp) expect(act.to_html).to eq exp end end end end