## File: sanitize_test.go

package info (click to toggle)
golang-github-microcosm-cc-bluemonday 0.0~git20161202.0.e797637-1.1
• area: main
• in suites: sid
• size: 448 kB
• sloc: makefile: 23
 file content (1516 lines) | stat: -rw-r--r-- 50,166 bytes parent folder | download
 `1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516` ``````// Copyright (c) 2014, David Kitchen // // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // * Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // * Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // * Neither the name of the organisation (Microcosm) nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. package bluemonday import ( "encoding/base64" "net/url" "regexp" "strings" "sync" "testing" ) // test is a simple input vs output struct used to construct a slice of many // tests to run within a single test method. type test struct { in string expected string } func TestEmpty(t *testing.T) { p := StrictPolicy() if "" != p.Sanitize(``) { t.Error("Empty string is not empty") } } func TestSignatureBehaviour(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/8 p := UGCPolicy() input := "Hi.\n" if output := p.Sanitize(input); output != input { t.Errorf(`Sanitize() input = %s, output = %s`, input, output) } if output := string(p.SanitizeBytes([]byte(input))); output != input { t.Errorf(`SanitizeBytes() input = %s, output = %s`, input, output) } if output := p.SanitizeReader( strings.NewReader(input), ).String(); output != input { t.Errorf(`SanitizeReader() input = %s, output = %s`, input, output) } input = "\t\n \n\t" if output := p.Sanitize(input); output != input { t.Errorf(`Sanitize() input = %s, output = %s`, input, output) } if output := string(p.SanitizeBytes([]byte(input))); output != input { t.Errorf(`SanitizeBytes() input = %s, output = %s`, input, output) } if output := p.SanitizeReader( strings.NewReader(input), ).String(); output != input { t.Errorf(`SanitizeReader() input = %s, output = %s`, input, output) } } func TestAllowDocType(t *testing.T) { p := NewPolicy() p.AllowElements("b") in := "Hello, World!" expected := "Hello, World!" out := p.Sanitize(in) if out != expected { t.Errorf( "test 1 failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } // Allow the doctype and run the test again p.AllowDocType(true) expected = "Hello, World!" out = p.Sanitize(in) if out != expected { t.Errorf( "test 1 failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } } func TestLinks(t *testing.T) { tests := []test{ { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, } p := UGCPolicy() p.RequireParseableURLs(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestLinkTargets(t *testing.T) { tests := []test{ { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, } p := UGCPolicy() p.RequireParseableURLs(true) p.RequireNoFollowOnLinks(false) p.RequireNoFollowOnFullyQualifiedLinks(true) p.AddTargetBlankToFullyQualifiedLinks(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestStyling(t *testing.T) { tests := []test{ { in: `Hello World`, expected: `Hello World`, }, { in: `Hello World`, expected: `Hello World`, }, } p := UGCPolicy() p.AllowStyling() // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestEmptyAttributes(t *testing.T) { p := UGCPolicy() // Do not do this, especially without a Matching() clause, this is a test p.AllowAttrs("disabled").OnElements("textarea") tests := []test{ // Empty elements { in: `` + `
Styled by span
`, expected: `` + `
Styled by span
`, }, { in: `foo
bar`, expected: `foo
bar`, }, { in: `foo
bar`, expected: `foo
bar`, }, { in: `foo
bar`, expected: `foo
bar`, }, { in: `foo
bar`, expected: `foo
bar`, }, } for ii, test := range tests { out := p.Sanitize(test.in) if out != test.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, test.in, out, test.expected, ) } } } func TestDataUri(t *testing.T) { p := UGCPolicy() p.AllowURLSchemeWithCustomPolicy( "data", func(url *url.URL) (allowUrl bool) { // Allows PNG images only const prefix = "image/png;base64," if !strings.HasPrefix(url.Opaque, prefix) { return false } if _, err := base64.StdEncoding.DecodeString(url.Opaque[len(prefix):]); err != nil { return false } if url.RawQuery != "" || url.Fragment != "" { return false } return true }, ) tests := []test{ { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, } for ii, test := range tests { out := p.Sanitize(test.in) if out != test.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, test.in, out, test.expected, ) } } } func TestAntiSamy(t *testing.T) { standardUrls := regexp.MustCompile(`(?i)^https?|mailto`) p := NewPolicy() p.AllowElements( "a", "b", "br", "div", "font", "i", "img", "input", "li", "ol", "p", "span", "td", "ul", ) p.AllowAttrs("checked", "type").OnElements("input") p.AllowAttrs("color").OnElements("font") p.AllowAttrs("href").Matching(standardUrls).OnElements("a") p.AllowAttrs("src").Matching(standardUrls).OnElements("img") p.AllowAttrs("class", "id", "title").Globally() p.AllowAttrs("char").Matching( regexp.MustCompile(`p{L}`), // Single character or HTML entity only ).OnElements("td") tests := []test{ // Base64 strings // // first string is //
`, expected: ``, }, { in: `
`, expected: `
`, }, { in: `
`, expected: `
`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: "", expected: ``, }, { in: ``, expected: ``, }, { in: `PT SRC="http://ha.ckers.org/xss.js">`, expected: `PT SRC="http://ha.ckers.org/xss.js">`, }, { in: `PT SRC="http://ha.ckers.org/xss.js">`, expected: `PT SRC="http://ha.ckers.org/xss.js">`, }, { in: ``, expected: ``, }, { in: "", expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ` +ADw-SCRIPT+AD4-alert('XSS')`, expected: ` +ADw-SCRIPT+AD4-alert('XSS')`, }, { in: ``, expected: ``, }, { in: `alert("XSS")'); ?>`, expected: `alert("XSS")'); ?>`, }, { in: ``, expected: ``, }, { in: ` "> `, expected: "\n\n\n">\n", }, { in: ` `, expected: ` `, }, { in: ` `, expected: ` `, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `
`, expected: `
`, }, { in: `
`, expected: `
`, }, { in: `
`, expected: `
`, }, { in: `
`, expected: `
`, }, { in: `
`, expected: `
`, }, { in: ``, expected: `
`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `
`, expected: `
`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `
• XSS
`, expected: `
• XSS
`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `\";alert('XSS');//`, expected: `\";alert('XSS');//`, }, { in: `