1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
Fix test failures that occur when nokogiri is using system libxml:
https://github.com/rgrove/sanitize/issues/198
Taken from upstream:
https://github.com/rgrove/sanitize/commit/21da9b62baf9ea659811d92e6b574130aee57eba
diff --git a/test/test_malicious_html.rb b/test/test_malicious_html.rb
index 2c23074..0756de0 100644
--- a/test/test_malicious_html.rb
+++ b/test/test_malicious_html.rb
@@ -135,6 +135,8 @@
# The relevant libxml2 code is here:
# <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
describe 'unsafe libxml2 server-side includes in attributes' do
+ using_unpatched_libxml2 = Nokogiri::VersionInfo.instance.libxml2_using_system?
+
tag_configs = [
{
tag_name: 'a',
@@ -166,6 +168,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
it 'should escape unsafe characters in attributes' do
+ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
+
# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).
@@ -191,6 +195,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]
it 'should not escape characters unnecessarily' do
+ skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2
+
# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).
|
