spec/lib/banzai/filter/image_link_filter_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Banzai::Filter::ImageLinkFilter do
  include FilterSpecHelper

  let(:path) { '/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg' }
  let(:context) { {} }

  def image(path, alt: nil, data_src: nil)
    alt_tag = alt ? %Q{alt="#{alt}"} : ""
    data_src_tag = data_src ? %Q{data-src="#{data_src}"} : ""

    %(<img src="#{path}" #{alt_tag} #{data_src_tag} />)
  end

  it 'wraps the image with a link to the image src' do
    doc = filter(image(path), context)

    expect(doc.at_css('img')['src']).to eq doc.at_css('a')['href']
  end

  it 'does not wrap a duplicate link' do
    doc = filter(%Q(<a href="/whatever">#{image(path)}</a>), context)

    expect(doc.to_html).to match %r{^<a href="/whatever"><img[^>]*></a>$}
  end

  it 'works with external images' do
    doc = filter(image('https://i.imgur.com/DfssX9C.jpg'), context)

    expect(doc.at_css('img')['src']).to eq doc.at_css('a')['href']
  end

  it 'works with inline images' do
    doc = filter(%Q(<p>test #{image(path)} inline</p>), context)

    expect(doc.to_html).to match %r{^<p>test <a[^>]*><img[^>]*></a> inline</p>$}
  end

  it 'keep the data-canonical-src' do
    doc = filter(%q(<img src="http://assets.example.com/6cd/4d7" data-canonical-src="http://example.com/test.png" />), context)

    expect(doc.at_css('img')['src']).to eq doc.at_css('a')['href']
    expect(doc.at_css('img')['data-canonical-src']).to eq doc.at_css('a')['data-canonical-src']
  end

  it 'moves the data-diagram* attributes' do
    doc = filter(%q(<img class="plantuml" src="http://localhost:8080/png/U9npoazIqBLJ24uiIbImKl18pSd91m0rkGMq" data-diagram="plantuml" data-diagram-src="data:text/plain;base64,Qm9iIC0+IFNhcmEgOiBIZWxsbw==">), context)

    expect(doc.at_css('a')['data-diagram']).to eq "plantuml"
    expect(doc.at_css('a')['data-diagram-src']).to eq "data:text/plain;base64,Qm9iIC0+IFNhcmEgOiBIZWxsbw=="

    expect(doc.at_css('a img')['data-diagram']).to be_nil
    expect(doc.at_css('a img')['data-diagram-src']).to be_nil
  end

  it 'adds no-attachment icon class to the link' do
    doc = filter(image(path), context)

    expect(doc.at_css('a')['class']).to match(%r{no-attachment-icon})
  end

  context 'when :link_replaces_image is true' do
    let(:context) { { link_replaces_image: true } }

    it 'replaces the image with link to image src', :aggregate_failures do
      doc = filter(image(path), context)

      expect(doc.to_html).to match(%r{^<a[^>]*>#{path}</a>$})
      expect(doc.at_css('a')['href']).to eq(path)
    end

    it 'uses image alt as a link text', :aggregate_failures do
      doc = filter(image(path, alt: 'My image'), context)

      expect(doc.to_html).to match(%r{^<a[^>]*>My image</a>$})
      expect(doc.at_css('a')['href']).to eq(path)
    end

    it 'uses image data-src as a link text', :aggregate_failures do
      data_src = '/uploads/data-src.png'
      doc = filter(image(path, data_src: data_src), context)

      expect(doc.to_html).to match(%r{^<a[^>]*>#{data_src}</a>$})
      expect(doc.at_css('a')['href']).to eq(data_src)
    end

    it 'adds attachment icon class to the link' do
      doc = filter(image(path), context)

      expect(doc.at_css('a')['class']).to match(%r{with-attachment-icon})
    end

    context 'when link attributes contain malicious code' do
      let(:malicious_code) do
        # rubocop:disable Layout/LineLength
        %q(<a class='fixed-top fixed-bottom' data-create-path=/malicious-url><style> .tab-content>.tab-pane{display: block !important}</style>)
        # rubocop:enable Layout/LineLength
      end

      context 'when image alt contains malicious code' do
        it 'ignores image alt and uses image path as the link text', :aggregate_failures do
          doc = filter(image(path, alt: malicious_code), context)

          expect(doc.to_html).to match(%r{^<a[^>]*>#{path}</a>$})
          expect(doc.at_css('a')['href']).to eq(path)
        end
      end

      context 'when image src contains malicious code' do
        it 'ignores image src and does not use it as the link text' do
          doc = filter(image(malicious_code), context)

          expect(doc.to_html).to match(%r{^<a[^>]*></a>$})
        end

        it 'keeps image src unchanged, malicious code does not execute as part of url' do
          doc = filter(image(malicious_code), context)

          expect(doc.at_css('a')['href']).to eq(malicious_code)
        end
      end

      context 'when image data-src contains malicious code' do
        it 'ignores data-src and uses image path as the link text', :aggregate_failures do
          doc = filter(image(path, data_src: malicious_code), context)

          expect(doc.to_html).to match(%r{^<a[^>]*>#{path}</a>$})
        end

        it 'uses image data-src, malicious code does not execute as part of url' do
          doc = filter(image(path, data_src: malicious_code), context)

          expect(doc.at_css('a')['href']).to eq(malicious_code)
        end
      end
    end
  end
end