diff options
| author | kaniini <nenolod@gmail.com> | 2018-09-22 03:50:39 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2018-09-22 03:50:39 +0000 |
| commit | 3193423be9f288b186fe97997228aae84a8e730c (patch) | |
| tree | f00ebf515952f260d0a494851b05301b251141db | |
| parent | 7e12ef0ab0cccfde8d46c48f5cc6e4a27f9291c3 (diff) | |
| parent | 85b59d07b64ad45fe5213a173e5857418620d171 (diff) | |
| download | pleroma-3193423be9f288b186fe97997228aae84a8e730c.tar.gz | |
Merge branch 'feature/html-scrub-policy-tests' into 'develop'
html: add scrub policy tests
See merge request pleroma/pleroma!356
| -rw-r--r-- | lib/pleroma/html.ex | 2 | ||||
| -rw-r--r-- | test/html_test.exs | 80 |
2 files changed, 82 insertions, 0 deletions
diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex index 878fac28c..cf18f070c 100644 --- a/lib/pleroma/html.ex +++ b/lib/pleroma/html.ex @@ -69,6 +69,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do "alt" ]) end + + Meta.strip_everything_not_covered() end defmodule Pleroma.HTML.Scrubber.Default do diff --git a/test/html_test.exs b/test/html_test.exs new file mode 100644 index 000000000..f7150759b --- /dev/null +++ b/test/html_test.exs @@ -0,0 +1,80 @@ +defmodule Pleroma.HTMLTest do + alias Pleroma.HTML + use Pleroma.DataCase + + @html_sample """ + <b>this is in bold</b> + <p>this is a paragraph</p> + this is a linebreak<br /> + this is an image: <img src="http://example.com/image.jpg"><br /> + <script>alert('hacked')</script> + """ + + @html_onerror_sample """ + <img src="http://example.com/image.jpg" onerror="alert('hacked')"> + """ + + describe "StripTags scrubber" do + test "works as expected" do + expected = """ + this is in bold + this is a paragraph + this is a linebreak + this is an image: + alert('hacked') + """ + + assert expected == HTML.strip_tags(@html_sample) + end + + test "does not allow attribute-based XSS" do + expected = "\n" + + assert expected == HTML.strip_tags(@html_onerror_sample) + end + end + + describe "TwitterText scrubber" do + test "normalizes HTML as expected" do + expected = """ + this is in bold + <p>this is a paragraph</p> + this is a linebreak<br /> + this is an image: <img src="http://example.com/image.jpg" /><br /> + alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText) + end + + test "does not allow attribute-based XSS" do + expected = """ + <img src="http://example.com/image.jpg" /> + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText) + end + end + + describe "default scrubber" do + test "normalizes HTML as expected" do + expected = """ + <b>this is in bold</b> + <p>this is a paragraph</p> + this is a linebreak<br /> + this is an image: <img src="http://example.com/image.jpg" /><br /> + alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default) + end + + test "does not allow attribute-based XSS" do + expected = """ + <img src="http://example.com/image.jpg" /> + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default) + end + end +end |