File: whitewash_spec.rb

package info (click to toggle)
ruby-whitewash 2.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 220 kB
  • sloc: ruby: 1,217; makefile: 3
file content (99 lines) | stat: -rw-r--r-- 2,988 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
require File.expand_path('spec/spec_helper')

describe Whitewash do
  it "loads default whitelist" do
    whitelist = Whitewash.default_whitelist
    whitelist.should be_a_kind_of Hash
    whitelist.should include '_css'
  end

  it "drops <html> and <body> elements" do
    w = Whitewash.new
    input = '<html><head></head><body><p>test</p></body>'
    output = w.sanitize(input)
    output.should == '<p>test</p>'
  end

  it "understands fragments with multiple root elements" do
    w = Whitewash.new
    input = '<p>foo</p><p>bar</p>'
    output = w.sanitize(input)
    output.should == '<p>foo</p><p>bar</p>'
  end

  it "removes <script/> element" do
    w = Whitewash.new
    input = '<p>foo <script type="text/javascript" src="test.js">bar</script> buzz</p>'
    output = w.sanitize(input)
    output.should == '<p>foo <![CDATA[bar]]> buzz</p>'
  end

  it "removes onclick attribute" do
    w = Whitewash.new
    input = '<p>foo <span onlick="test()">bar</span> buzz</p>'
    output = w.sanitize(input)
    output.should == '<p>foo <span>bar</span> buzz</p>'
  end

  it "removes background CSS property" do
    w = Whitewash.new
    input = '<p>foo <span style="background: url(//test/t.js)">bar</span> buzz</p>'
    output = w.sanitize(input)
    output.should == '<p>foo <span>bar</span> buzz</p>'
  end

  it "rewrites HTML when supplied with a block" do
    w = Whitewash.new
    input = '<p>foo <img src="in.jpg"/> buzz</p>'
    output = w.sanitize(input) do |xml|
      if xml.name == 'img'
        xml['src'] = 'out.jpg'
      end
    end
    output.should == '<p>foo <img src="out.jpg" /> buzz</p>'
  end

  it "fixes up invalid markup" do
    w = Whitewash.new
    input = '<p>foo <strong><em>bar</strong></em> buzz</p>'
    output = w.sanitize(input)
    output.should == '<p>foo <strong><em>bar</em></strong> buzz</p>'
  end

  # http://ha.ckers.org/xss.html

  it "catches javascript: in img/src" do
    w = Whitewash.new
    input = %q{<IMG SRC=JaVaScRiPt:alert('XSS')>}
    output = w.sanitize(input)
    output.should == %q{<img />}
  end

  it "handles strings with null in the middle" do
    w = Whitewash.new
    input = %q{<IMG SRC=java\0script:alert("XSS")>}
    output = w.sanitize(input)
    output.should == %q{<img />}
  end

  it "handles extra open brackets" do
    w = Whitewash.new
    input = %q{<<SCRIPT>alert("XSS");//<</SCRIPT>}
    output = w.sanitize(input)
    output.should == '<p>alert("XSS");//</p>'
  end

  it "removes remote stylesheet link" do
    w = Whitewash.new
    input = %q{<P><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></P>}
    output = w.sanitize(input)
    output.should == '<p></p>'
  end

  it "removes XML data island with CDATA obfuscation" do
    w = Whitewash.new
    input = %{<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>}
    output = w.sanitize(input)
    output.should == ']]&gt; <span></span>'
  end
end