1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
|
use strict;
use warnings;
use Test::More;
use HTML::Restrict ();
my $hr = HTML::Restrict->new(
rules => { a => ['href'] },
uri_schemes => [undef],
);
my $expected = '<a>click me</a>';
for my $i ( 0 .. 31 ) {
subtest "control char $i" => sub {
my $dec = "&#$i;";
my $hex = sprintf( '&#x%X;', $i );
for my $prefix ( $dec, $hex ) {
my $type = $prefix =~ m{x} ? 'hex' : 'decimal';
my $single = $hr->process( make_link($prefix) );
is(
$single, $expected,
"single control char removed ($type)"
);
my $double = $hr->process( make_link( $prefix, $prefix ) );
is(
$double, $expected,
"double control char removed ($type)"
);
}
};
}
is(
$hr->process( make_link('�') ), $expected,
'null byte (decimal) with more padding'
);
is(
$hr->process( make_link('�') ), $expected,
'null byte (hex) with more padding'
);
sub make_link {
my $prefix = join q{}, @_;
return
sprintf( q{<a href="%sjavascript:alert(1);">click me</a>}, $prefix, );
}
done_testing;
|