1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
# frozen_string_literal: true
require_relative "common"
describe "Sanitize::Transformers::CSS::CleanAttribute" do
make_my_diffs_pretty!
parallelize_me!
before do
@s = Sanitize.new(Sanitize::Config::RELAXED)
end
it "should sanitize CSS properties in style attributes" do
_(@s.fragment(%[
<div style="color: #fff; width: expression(alert(1)); /* <-- evil! */"></div>
].strip)).must_equal %(
<div style="color: #fff; /* <-- evil! */"></div>
).strip
end
it "should remove the style attribute if the sanitized CSS is empty" do
_(@s.fragment('<div style="width: expression(alert(1))"></div>'))
.must_equal "<div></div>"
end
end
describe "Sanitize::Transformers::CSS::CleanElement" do
make_my_diffs_pretty!
parallelize_me!
before do
@s = Sanitize.new(Sanitize::Config::RELAXED)
end
it "should sanitize CSS stylesheets in <style> elements" do
html = %[
<style>@import url(evil.css);
/* Yay CSS! */
.foo { color: #fff; }
#bar { background: url(yay.jpg); bogus: wtf; }
.evil { width: expression(xss()); }
@media screen (max-width:480px) {
.foo { width: 400px; }
#bar:not(.baz) { height: 100px; }
}
</style>
].strip
_(@s.fragment(html)).must_equal %[
<style>
/* Yay CSS! */
.foo { color: #fff; }
#bar { background: url(yay.jpg); }
.evil { }
@media screen (max-width:480px) {
.foo { width: 400px; }
#bar:not(.baz) { height: 100px; }
}
</style>
].strip
end
it "should remove the <style> element if the sanitized CSS is empty" do
_(@s.fragment("<style></style>")).must_equal ""
end
end
|
