spec/lib/gitlab/markdown/sanitization_filter_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

require 'spec_helper'

module Gitlab::Markdown
  describe SanitizationFilter do
    def filter(html, options = {})
      described_class.call(html, options)
    end

    describe 'default whitelist' do
      it 'sanitizes tags that are not whitelisted' do
        act = %q{<textarea>no inputs</textarea> and <blink>no blinks</blink>}
        exp = 'no inputs and no blinks'
        expect(filter(act).to_html).to eq exp
      end

      it 'sanitizes tag attributes' do
        act = %q{<a href="http://example.com/bar.html" onclick="bar">Text</a>}
        exp = %q{<a href="http://example.com/bar.html">Text</a>}
        expect(filter(act).to_html).to eq exp
      end

      it 'sanitizes javascript in attributes' do
        act = %q(<a href="javascript:alert('foo')">Text</a>)
        exp = '<a>Text</a>'
        expect(filter(act).to_html).to eq exp
      end

      it 'allows whitelisted HTML tags from the user' do
        exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>"
        expect(filter(act).to_html).to eq exp
      end

      it 'sanitizes `class` attribute on any element' do
        act = %q{<strong class="foo">Strong</strong>}
        expect(filter(act).to_html).to eq %q{<strong>Strong</strong>}
      end

      it 'sanitizes `id` attribute on any element' do
        act = %q{<em id="foo">Emphasis</em>}
        expect(filter(act).to_html).to eq %q{<em>Emphasis</em>}
      end
    end

    describe 'custom whitelist' do
      it 'allows syntax highlighting' do
        exp = act = %q{<pre class="code highlight white c"><code><span class="k">def</span></code></pre>}
        expect(filter(act).to_html).to eq exp
      end

      it 'sanitizes `class` attribute from non-highlight spans' do
        act = %q{<span class="k">def</span>}
        expect(filter(act).to_html).to eq %q{<span>def</span>}
      end

      it 'allows `style` attribute on table elements' do
        html = <<-HTML.strip_heredoc
        <table>
          <tr><th style="text-align: center">Head</th></tr>
          <tr><td style="text-align: right">Body</th></tr>
        </table>
        HTML

        doc = filter(html)

        expect(doc.at_css('th')['style']).to eq 'text-align: center'
        expect(doc.at_css('td')['style']).to eq 'text-align: right'
      end

      it 'allows `span` elements' do
        exp = act = %q{<span>Hello</span>}
        expect(filter(act).to_html).to eq exp
      end

      it 'removes `rel` attribute from `a` elements' do
        doc = filter(%q{<a href="#" rel="nofollow">Link</a>})

        expect(doc.css('a').size).to eq 1
        expect(doc.at_css('a')['href']).to eq '#'
        expect(doc.at_css('a')['rel']).to be_nil
      end

      it 'removes script-like `href` attribute from `a` elements' do
        html = %q{<a href="javascript:alert('Hi')">Hi</a>}
        doc = filter(html)

        expect(doc.css('a').size).to eq 1
        expect(doc.at_css('a')['href']).to be_nil
      end
    end
  end
end