mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-23 08:36:29 +00:00
Merge branch 'feature/html-scrub-policy-tests' into 'develop'
html: add scrub policy tests See merge request pleroma/pleroma!356
This commit is contained in:
commit
3193423be9
2 changed files with 82 additions and 0 deletions
|
@ -69,6 +69,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
||||||
"alt"
|
"alt"
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Meta.strip_everything_not_covered()
|
||||||
end
|
end
|
||||||
|
|
||||||
defmodule Pleroma.HTML.Scrubber.Default do
|
defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
|
|
80
test/html_test.exs
Normal file
80
test/html_test.exs
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
defmodule Pleroma.HTMLTest do
|
||||||
|
alias Pleroma.HTML
|
||||||
|
use Pleroma.DataCase
|
||||||
|
|
||||||
|
@html_sample """
|
||||||
|
<b>this is in bold</b>
|
||||||
|
<p>this is a paragraph</p>
|
||||||
|
this is a linebreak<br />
|
||||||
|
this is an image: <img src="http://example.com/image.jpg"><br />
|
||||||
|
<script>alert('hacked')</script>
|
||||||
|
"""
|
||||||
|
|
||||||
|
@html_onerror_sample """
|
||||||
|
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
||||||
|
"""
|
||||||
|
|
||||||
|
describe "StripTags scrubber" do
|
||||||
|
test "works as expected" do
|
||||||
|
expected = """
|
||||||
|
this is in bold
|
||||||
|
this is a paragraph
|
||||||
|
this is a linebreak
|
||||||
|
this is an image:
|
||||||
|
alert('hacked')
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.strip_tags(@html_sample)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does not allow attribute-based XSS" do
|
||||||
|
expected = "\n"
|
||||||
|
|
||||||
|
assert expected == HTML.strip_tags(@html_onerror_sample)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "TwitterText scrubber" do
|
||||||
|
test "normalizes HTML as expected" do
|
||||||
|
expected = """
|
||||||
|
this is in bold
|
||||||
|
<p>this is a paragraph</p>
|
||||||
|
this is a linebreak<br />
|
||||||
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
||||||
|
alert('hacked')
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does not allow attribute-based XSS" do
|
||||||
|
expected = """
|
||||||
|
<img src="http://example.com/image.jpg" />
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "default scrubber" do
|
||||||
|
test "normalizes HTML as expected" do
|
||||||
|
expected = """
|
||||||
|
<b>this is in bold</b>
|
||||||
|
<p>this is a paragraph</p>
|
||||||
|
this is a linebreak<br />
|
||||||
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
||||||
|
alert('hacked')
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does not allow attribute-based XSS" do
|
||||||
|
expected = """
|
||||||
|
<img src="http://example.com/image.jpg" />
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue