1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
use strict;
use warnings;
use Test::More;
use HTML::Restrict ();
my $hr = HTML::Restrict->new(
rules => { a => ['href'] },
uri_schemes => [undef],
);
my $expected = '<a>click me</a>';
for my $i ( 0 .. 31 ) {
subtest "control char $i" => sub {
my $dec = "&#$i;";
my $hex = sprintf( '&#x%X;', $i );
for my $prefix ( $dec, $hex ) {
my $type = $prefix =~ m{x} ? 'hex' : 'decimal';
my $single = $hr->process( make_link($prefix) );
is(
$single, $expected,
"single control char removed ($type)"
);
my $double = $hr->process( make_link( $prefix, $prefix ) );
is(
$double, $expected,
"double control char removed ($type)"
);
}
};
}
is(
$hr->process( make_link('�') ), $expected,
'null byte (decimal) with more padding'
);
is(
$hr->process( make_link('�') ), $expected,
'null byte (hex) with more padding'
);
sub make_link {
my $prefix = join q{}, @_;
return
sprintf( q{<a href="%sjavascript:alert(1);">click me</a>}, $prefix, );
}
done_testing;
|
