1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
test(t => {
// Create an empty config.
let s = new Sanitizer({});
// Remove everything unsafe.
s.removeUnsafe();
let config = s.get();
assert_equals(config.elements.length, 0, "no elements");
assert_equals(config.replaceWithChildrenElements.length, 0, "no replaceWithChildrenElements");
assert_equals(config.attributes.length, 0, "no attributes");
// https://wicg.github.io/sanitizer-api/#built-in-safe-baseline-configuration
const SAFE_BASELINE = {
"removeElements": [
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "script"
},
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "frame"
},
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "iframe"
},
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "object"
},
{
"namespace": "http://www.w3.org/1999/xhtml",
"name": "embed"
},
{
"namespace": "http://www.w3.org/2000/svg",
"name": "script"
},
{
"namespace": "http://www.w3.org/2000/svg",
"name": "use"
}
],
"removeAttributes": []
};
assert_equals(config.removeElements.length, SAFE_BASELINE.removeElements.length);
for (let i = 0; i < SAFE_BASELINE.removeElements.length; i++) {
let element = config.removeElements[i];
assert_own_property(element, "name");
assert_equals(element.name, SAFE_BASELINE.removeElements[i].name);
assert_own_property(element, "namespace");
assert_equals(element.namespace, SAFE_BASELINE.removeElements[i].namespace);
}
// This list depends on the implementation defined "event handler content attributes"
assert_true(config.removeAttributes.length > 0, "Has removeAttributes");
for (let attribute of config.removeAttributes) {
assert_own_property(attribute, "name");
assert_true(attribute.name.startsWith("on"), `attribute '${attribute.name}' starts with "on"`);
assert_own_property(attribute, "namespace"); // XXX Maybe optional?
assert_equals(attribute.namespace, null, "attribute is in null namespace");
}
}, "removeUnsafe removes the right elements and attributes");
test(t => {
let s = new Sanitizer("default");
let before = s.get();
let s2 = new Sanitizer("default");
s2.removeUnsafe();
let after = s2.get();
// None of the default config elements are unsafe.
assert_true(before.elements.length > 0);
assert_equals(before.elements.length, after.elements.length, "elements don't change");
// Not in default config.
assert_equals(before.replaceWithChildrenElements.length, 0);
assert_equals(after.replaceWithChildrenElements.length, 0);
assert_equals(before.removeElements.length, 0);
assert_equals(after.removeElements.length, 7, "removeElements are added");
// None of the default config attributes are unsafe.
assert_true(before.attributes.length > 0);
assert_equals(before.attributes.length, after.attributes.length, "attributes don't change");
// Imeplementation defined "event handler content attributes"
assert_equals(before.removeAttributes.length, 0);
assert_true(after.removeAttributes.length > 0, "removeAttributes are added");
}, "removeUnsafe with default config")
</script>
</body>
</html>
|
