mirror of
https://github.com/danog/blackfriday.git
synced 2025-01-23 05:41:27 +01:00
Move sanitization tests into their own file.
Also adds an explicit test for [link](...) syntax to be sanitized.
This commit is contained in:
parent
7b5191107e
commit
7daa6e8b70
180
inline_test.go
180
inline_test.go
@ -69,186 +69,6 @@ func doTestsInlineParam(t *testing.T, tests []string, extensions, htmlFlags int)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRawHtmlTag(t *testing.T) {
|
||||
tests := []string{
|
||||
"zz <style>p {}</style>\n",
|
||||
"<p>zz <style>p {}</style></p>\n",
|
||||
|
||||
"zz <STYLE>p {}</STYLE>\n",
|
||||
"<p>zz <style>p {}</style></p>\n",
|
||||
|
||||
"<SCRIPT>alert()</SCRIPT>\n",
|
||||
"<p><script>alert()</script></p>\n",
|
||||
|
||||
"zz <SCRIPT>alert()</SCRIPT>\n",
|
||||
"<p>zz <script>alert()</script></p>\n",
|
||||
|
||||
"zz <script>alert()</script>\n",
|
||||
"<p>zz <script>alert()</script></p>\n",
|
||||
|
||||
" <script>alert()</script>\n",
|
||||
"<p><script>alert()</script></p>\n",
|
||||
|
||||
"<script>alert()</script>\n",
|
||||
"<script>alert()</script>\n",
|
||||
|
||||
"<script src='foo'></script>\n",
|
||||
"<script src='foo'></script>\n",
|
||||
|
||||
"<script src='a>b'></script>\n",
|
||||
"<script src='a>b'></script>\n",
|
||||
|
||||
"zz <script src='foo'></script>\n",
|
||||
"<p>zz <script src='foo'></script></p>\n",
|
||||
|
||||
"zz <script src=foo></script>\n",
|
||||
"<p>zz <script src=foo></script></p>\n",
|
||||
|
||||
`<script><script src="http://example.com/exploit.js"></SCRIPT></script>`,
|
||||
"<script><script src="http://example.com/exploit.js"></script></script>\n",
|
||||
|
||||
`'';!--"<XSS>=&{()}`,
|
||||
"<p>'';!--"<xss>=&{()}</p>\n",
|
||||
|
||||
"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
||||
"<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n",
|
||||
|
||||
"<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
||||
"<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n",
|
||||
|
||||
`<IMG SRC="javascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=JaVaScRiPt:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<a onmouseover="alert(document.cookie)">xss link</a>`,
|
||||
"<p><a>xss link</a></p>\n",
|
||||
|
||||
"<a onmouseover=alert(document.cookie)>xss link</a>",
|
||||
"<p><a>xss link</a></p>\n",
|
||||
|
||||
`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
|
||||
"<p><img><script>alert("XSS")</script>"></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC=# onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC= onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="javascriptascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav	ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="  javascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
||||
"<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
||||
|
||||
"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
||||
"<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n",
|
||||
|
||||
`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
||||
"<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
||||
|
||||
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
|
||||
"<p><<script>alert("XSS");//<</script></p>\n",
|
||||
|
||||
"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
|
||||
"<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n",
|
||||
|
||||
"<SCRIPT SRC=//ha.ckers.org/.j>",
|
||||
"<p><script SRC=//ha.ckers.org/.j></p>\n",
|
||||
|
||||
`<IMG SRC="javascript:alert('XSS')"`,
|
||||
"<p><IMG SRC="javascript:alert('XSS')"</p>\n",
|
||||
|
||||
"<iframe src=http://ha.ckers.org/scriptlet.html <",
|
||||
// The hyperlink gets linkified, the <iframe> gets escaped
|
||||
"<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
|
||||
|
||||
// Additonal token types: SelfClosing, Comment, DocType.
|
||||
"<br/>",
|
||||
"<p><br/></p>\n",
|
||||
|
||||
"<!-- Comment -->",
|
||||
"<!-- Comment -->\n",
|
||||
|
||||
"<!DOCTYPE test>",
|
||||
"<p><!DOCTYPE test></p>\n",
|
||||
}
|
||||
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
|
||||
}
|
||||
|
||||
func TestQuoteEscaping(t *testing.T) {
|
||||
tests := []string{
|
||||
// Make sure quotes are transported correctly (different entities or
|
||||
// unicode, but correct semantics)
|
||||
"<p>Here are some "quotes".</p>\n",
|
||||
"<p>Here are some "quotes".</p>\n",
|
||||
|
||||
"<p>Here are some “quotes”.</p>\n",
|
||||
"<p>Here are some \u201Cquotes\u201D.</p>\n",
|
||||
|
||||
// Within a <script> tag, content gets parsed by the raw text parsing rules.
|
||||
// This test makes sure we correctly disable those parsing rules and do not
|
||||
// escape e.g. the closing </p>.
|
||||
`Here are <script> some "quotes".`,
|
||||
"<p>Here are <script> some "quotes".</p>\n",
|
||||
|
||||
// Same test for an unknown element that does not switch into raw mode.
|
||||
`Here are <eviltag> some "quotes".`,
|
||||
"<p>Here are <eviltag> some "quotes".</p>\n",
|
||||
}
|
||||
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
|
||||
}
|
||||
|
||||
func TestSanitizeSelfClosingTag(t *testing.T) {
|
||||
tests := []string{
|
||||
"<hr>\n",
|
||||
"<hr>\n",
|
||||
|
||||
"<hr/>\n",
|
||||
"<hr/>\n",
|
||||
|
||||
// Make sure that evil attributes are stripped for self closing tags.
|
||||
"<hr onclick=\"evil()\"/>\n",
|
||||
"<hr/>\n",
|
||||
}
|
||||
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
|
||||
}
|
||||
|
||||
func TestEmphasis(t *testing.T) {
|
||||
var tests = []string{
|
||||
"nothing inline\n",
|
||||
|
197
sanitize_test.go
Normal file
197
sanitize_test.go
Normal file
@ -0,0 +1,197 @@
|
||||
package blackfriday
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func doTestsSanitize(t *testing.T, tests []string) {
|
||||
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
|
||||
}
|
||||
|
||||
func TestSanitizeRawHtmlTag(t *testing.T) {
|
||||
tests := []string{
|
||||
"zz <style>p {}</style>\n",
|
||||
"<p>zz <style>p {}</style></p>\n",
|
||||
|
||||
"zz <STYLE>p {}</STYLE>\n",
|
||||
"<p>zz <style>p {}</style></p>\n",
|
||||
|
||||
"<SCRIPT>alert()</SCRIPT>\n",
|
||||
"<p><script>alert()</script></p>\n",
|
||||
|
||||
"zz <SCRIPT>alert()</SCRIPT>\n",
|
||||
"<p>zz <script>alert()</script></p>\n",
|
||||
|
||||
"zz <script>alert()</script>\n",
|
||||
"<p>zz <script>alert()</script></p>\n",
|
||||
|
||||
" <script>alert()</script>\n",
|
||||
"<p><script>alert()</script></p>\n",
|
||||
|
||||
"<script>alert()</script>\n",
|
||||
"<script>alert()</script>\n",
|
||||
|
||||
"<script src='foo'></script>\n",
|
||||
"<script src='foo'></script>\n",
|
||||
|
||||
"<script src='a>b'></script>\n",
|
||||
"<script src='a>b'></script>\n",
|
||||
|
||||
"zz <script src='foo'></script>\n",
|
||||
"<p>zz <script src='foo'></script></p>\n",
|
||||
|
||||
"zz <script src=foo></script>\n",
|
||||
"<p>zz <script src=foo></script></p>\n",
|
||||
|
||||
`<script><script src="http://example.com/exploit.js"></SCRIPT></script>`,
|
||||
"<script><script src="http://example.com/exploit.js"></script></script>\n",
|
||||
|
||||
`'';!--"<XSS>=&{()}`,
|
||||
"<p>'';!--"<xss>=&{()}</p>\n",
|
||||
|
||||
"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
||||
"<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n",
|
||||
|
||||
"<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
||||
"<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n",
|
||||
|
||||
`<IMG SRC="javascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=JaVaScRiPt:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<a onmouseover="alert(document.cookie)">xss link</a>`,
|
||||
"<p><a>xss link</a></p>\n",
|
||||
|
||||
"<a onmouseover=alert(document.cookie)>xss link</a>",
|
||||
"<p><a>xss link</a></p>\n",
|
||||
|
||||
`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
|
||||
"<p><img><script>alert("XSS")</script>"></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC=# onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC= onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG onmouseover="alert('xxs')">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
"<IMG SRC=javascript:alert('XSS')>",
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="javascriptascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav	ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<IMG SRC="  javascript:alert('XSS');">`,
|
||||
"<p><img></p>\n",
|
||||
|
||||
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
||||
"<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
||||
|
||||
"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
||||
"<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n",
|
||||
|
||||
`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
||||
"<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
||||
|
||||
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
|
||||
"<p><<script>alert("XSS");//<</script></p>\n",
|
||||
|
||||
"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
|
||||
"<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n",
|
||||
|
||||
"<SCRIPT SRC=//ha.ckers.org/.j>",
|
||||
"<p><script SRC=//ha.ckers.org/.j></p>\n",
|
||||
|
||||
`<IMG SRC="javascript:alert('XSS')"`,
|
||||
"<p><IMG SRC="javascript:alert('XSS')"</p>\n",
|
||||
|
||||
"<iframe src=http://ha.ckers.org/scriptlet.html <",
|
||||
// The hyperlink gets linkified, the <iframe> gets escaped
|
||||
"<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
|
||||
|
||||
// Additonal token types: SelfClosing, Comment, DocType.
|
||||
"<br/>",
|
||||
"<p><br/></p>\n",
|
||||
|
||||
"<!-- Comment -->",
|
||||
"<!-- Comment -->\n",
|
||||
|
||||
"<!DOCTYPE test>",
|
||||
"<p><!DOCTYPE test></p>\n",
|
||||
}
|
||||
doTestsSanitize(t, tests)
|
||||
}
|
||||
|
||||
func TestSanitizeQuoteEscaping(t *testing.T) {
|
||||
tests := []string{
|
||||
// Make sure quotes are transported correctly (different entities or
|
||||
// unicode, but correct semantics)
|
||||
"<p>Here are some "quotes".</p>\n",
|
||||
"<p>Here are some "quotes".</p>\n",
|
||||
|
||||
"<p>Here are some “quotes”.</p>\n",
|
||||
"<p>Here are some \u201Cquotes\u201D.</p>\n",
|
||||
|
||||
// Within a <script> tag, content gets parsed by the raw text parsing rules.
|
||||
// This test makes sure we correctly disable those parsing rules and do not
|
||||
// escape e.g. the closing </p>.
|
||||
`Here are <script> some "quotes".`,
|
||||
"<p>Here are <script> some "quotes".</p>\n",
|
||||
|
||||
// Same test for an unknown element that does not switch into raw mode.
|
||||
`Here are <eviltag> some "quotes".`,
|
||||
"<p>Here are <eviltag> some "quotes".</p>\n",
|
||||
}
|
||||
doTestsSanitize(t, tests)
|
||||
}
|
||||
|
||||
func TestSanitizeSelfClosingTag(t *testing.T) {
|
||||
tests := []string{
|
||||
"<hr>\n",
|
||||
"<hr>\n",
|
||||
|
||||
"<hr/>\n",
|
||||
"<hr/>\n",
|
||||
|
||||
// Make sure that evil attributes are stripped for self closing tags.
|
||||
"<hr onclick=\"evil()\"/>\n",
|
||||
"<hr/>\n",
|
||||
}
|
||||
doTestsSanitize(t, tests)
|
||||
}
|
||||
|
||||
func TestSanitizeInlineLink(t *testing.T) {
|
||||
tests := []string{
|
||||
"[link](javascript:evil)",
|
||||
"<p><a>link</a></p>\n",
|
||||
}
|
||||
doTestsSanitize(t, tests)
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user