2017-04-13 05:52:24 +03:00
// Copyright 2017 The Gitea Authors. All rights reserved.
// Copyright 2017 The Gogs Authors. All rights reserved.
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
2017-04-13 05:52:24 +03:00
2017-09-16 20:17:57 +03:00
package markup
2017-04-13 05:52:24 +03:00
import (
2021-04-06 00:38:31 +03:00
"html/template"
"strings"
2017-04-13 05:52:24 +03:00
"testing"
"github.com/stretchr/testify/assert"
)
func Test_Sanitizer ( t * testing . T ) {
NewSanitizer ( )
testCases := [ ] string {
// Regular
` <a onblur="alert(secret)" href="http://www.google.com">Google</a> ` , ` <a href="http://www.google.com" rel="nofollow">Google</a> ` ,
// Code highlighting class
` <code class="random string"></code> ` , ` <code></code> ` ,
` <code class="language-random ui tab active menu attached animating sidebar following bar center"></code> ` , ` <code></code> ` ,
` <code class="language-go"></code> ` , ` <code class="language-go"></code> ` ,
// Input checkbox
` <input type="hidden"> ` , ` ` ,
` <input type="checkbox"> ` , ` <input type="checkbox"> ` ,
` <input checked disabled autofocus> ` , ` <input checked="" disabled=""> ` ,
// Code highlight injection
` <code class="language-random ui tab active menu attached animating sidebar following bar center"></code> ` , ` <code></code> ` ,
` < code class = "language-lol ui tab active menu attached animating sidebar following bar center" >
< code class = "language-lol ui container input huge basic segment center" > & nbsp ; < / code >
< img src = "https://try.gogs.io/img/favicon.png" width = "200" height = "200" >
< code class = "language-lol ui container input massive basic segment" > Hello there ! Something has gone wrong , we are working on it . < / code >
< code class = "language-lol ui container input huge basic segment" > In the meantime , play a game with us at & nbsp ; < a href = "http://example.com/" > example . com < / a > . < / code >
< / code > ` , "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>" ,
2019-12-03 22:02:41 +03:00
// <kbd> tags
` <kbd>Ctrl + C</kbd> ` , ` <kbd>Ctrl + C</kbd> ` ,
2020-05-03 23:17:24 +03:00
` <i class="dropdown icon">NAUGHTY</i> ` , ` <i>NAUGHTY</i> ` ,
` <i class="icon dropdown"></i> ` , ` <i class="icon dropdown"></i> ` ,
2020-12-13 04:05:50 +03:00
` <input type="checkbox" disabled=""/>unchecked ` , ` <input type="checkbox" disabled=""/>unchecked ` ,
2020-05-03 23:17:24 +03:00
` <span class="emoji dropdown">NAUGHTY</span> ` , ` <span>NAUGHTY</span> ` ,
` <span class="emoji">contents</span> ` , ` <span class="emoji">contents</span> ` ,
2022-07-15 09:38:10 +03:00
// Color property
` <span style="color: red">Hello World</span> ` , ` <span style="color: red">Hello World</span> ` ,
` <p style="color: red">Hello World</p> ` , ` <p style="color: red">Hello World</p> ` ,
` <code style="color: red">Hello World</code> ` , ` <code>Hello World</code> ` ,
` <span style="bad-color: red">Hello World</span> ` , ` <span>Hello World</span> ` ,
` <p style="bad-color: red">Hello World</p> ` , ` <p>Hello World</p> ` ,
` <code style="bad-color: red">Hello World</code> ` , ` <code>Hello World</code> ` ,
2023-05-19 18:17:07 +03:00
2023-07-19 15:30:05 +03:00
// Org mode status of list items.
` <li class="checked"></li> ` , ` <li class="checked"></li> ` ,
` <li class="unchecked"></li> ` , ` <li class="unchecked"></li> ` ,
` <li class="indeterminate"></li> ` , ` <li class="indeterminate"></li> ` ,
2023-05-19 18:17:07 +03:00
// URLs
2023-07-18 22:48:52 +03:00
` <a href="cbthunderlink://somebase64string)">my custom URL scheme</a> ` , ` <a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a> ` ,
` <a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a> ` , ` <a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a> ` ,
// Disallow dangerous url schemes
` <a href="javascript:alert('xss')">bad</a> ` , ` bad ` ,
` <a href="vbscript:no">bad</a> ` , ` bad ` ,
` <a href="data:1234">bad</a> ` , ` bad ` ,
2017-04-13 05:52:24 +03:00
}
for i := 0 ; i < len ( testCases ) ; i += 2 {
assert . Equal ( t , testCases [ i + 1 ] , Sanitize ( testCases [ i ] ) )
}
}
2021-04-06 00:38:31 +03:00
func TestSanitizeNonEscape ( t * testing . T ) {
descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>"
2022-06-20 13:02:49 +03:00
output := template . HTML ( Sanitize ( descStr ) )
2021-04-06 00:38:31 +03:00
if strings . Contains ( string ( output ) , "<script>" ) {
t . Errorf ( "un-escaped <script> in output: %q" , output )
}
}