mirror of
https://github.com/danog/blackfriday.git
synced 2024-11-26 20:14:43 +01:00
200 lines
6.0 KiB
Go
200 lines
6.0 KiB
Go
package blackfriday
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func doTestsSanitize(t *testing.T, tests []string) {
|
|
doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT, HtmlRendererParameters{})
|
|
}
|
|
|
|
func TestSanitizeRawHtmlTag(t *testing.T) {
|
|
tests := []string{
|
|
"zz <style>p {}</style>\n",
|
|
"<p>zz <style>p {}</style></p>\n",
|
|
|
|
"zz <STYLE>p {}</STYLE>\n",
|
|
"<p>zz <style>p {}</style></p>\n",
|
|
|
|
"<SCRIPT>alert()</SCRIPT>\n",
|
|
"<p><script>alert()</script></p>\n",
|
|
|
|
"zz <SCRIPT>alert()</SCRIPT>\n",
|
|
"<p>zz <script>alert()</script></p>\n",
|
|
|
|
"zz <script>alert()</script>\n",
|
|
"<p>zz <script>alert()</script></p>\n",
|
|
|
|
" <script>alert()</script>\n",
|
|
"<p><script>alert()</script></p>\n",
|
|
|
|
"<script>alert()</script>\n",
|
|
"<script>alert()</script>\n",
|
|
|
|
"<script src='foo'></script>\n",
|
|
"<script src='foo'></script>\n",
|
|
|
|
"<script src='a>b'></script>\n",
|
|
"<script src='a>b'></script>\n",
|
|
|
|
"zz <script src='foo'></script>\n",
|
|
"<p>zz <script src='foo'></script></p>\n",
|
|
|
|
"zz <script src=foo></script>\n",
|
|
"<p>zz <script src=foo></script></p>\n",
|
|
|
|
`<script><script src="http://example.com/exploit.js"></SCRIPT></script>`,
|
|
"<script><script src="http://example.com/exploit.js"></script></script>\n",
|
|
|
|
`'';!--"<XSS>=&{()}`,
|
|
"<p>'';!--"<xss>=&{()}</p>\n",
|
|
|
|
"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
|
"<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n",
|
|
|
|
"<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>",
|
|
"<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n",
|
|
|
|
`<IMG SRC="javascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=javascript:alert('XSS')>",
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=JaVaScRiPt:alert('XSS')>",
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>",
|
|
"<p><img></p>\n",
|
|
|
|
`<a onmouseover="alert(document.cookie)">xss link</a>`,
|
|
"<p><a>xss link</a></p>\n",
|
|
|
|
"<a onmouseover=alert(document.cookie)>xss link</a>",
|
|
"<p><a>xss link</a></p>\n",
|
|
|
|
`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
|
|
"<p><img><script>alert("XSS")</script>"></p>\n",
|
|
|
|
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC=# onmouseover="alert('xxs')">`,
|
|
"<p><img src=\"#\"></p>\n",
|
|
|
|
`<IMG SRC= onmouseover="alert('xxs')">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG onmouseover="alert('xxs')">`,
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=javascript:alert('XSS')>",
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=javascript:alert('XSS')>",
|
|
"<p><img></p>\n",
|
|
|
|
"<IMG SRC=javascript:alert('XSS')>",
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC="javascriptascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC="jav	ascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC="jav
ascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<IMG SRC="  javascript:alert('XSS');">`,
|
|
"<p><img></p>\n",
|
|
|
|
`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
"<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
|
|
|
"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
|
"<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n",
|
|
|
|
`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
"<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n",
|
|
|
|
`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
|
|
"<p><<script>alert("XSS");//<</script></p>\n",
|
|
|
|
"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
|
|
"<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n",
|
|
|
|
"<SCRIPT SRC=//ha.ckers.org/.j>",
|
|
"<p><script SRC=//ha.ckers.org/.j></p>\n",
|
|
|
|
`<IMG SRC="javascript:alert('XSS')"`,
|
|
"<p><IMG SRC="javascript:alert('XSS')"</p>\n",
|
|
|
|
"<iframe src=http://ha.ckers.org/scriptlet.html <",
|
|
// The hyperlink gets linkified, the <iframe> gets escaped
|
|
"<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
|
|
|
|
// Additonal token types: SelfClosing, Comment, DocType.
|
|
"<br/>",
|
|
"<p><br/></p>\n",
|
|
|
|
"<!-- Comment -->",
|
|
"<!-- Comment -->\n",
|
|
|
|
"<!DOCTYPE test>",
|
|
"<p><!DOCTYPE test></p>\n",
|
|
}
|
|
doTestsSanitize(t, tests)
|
|
}
|
|
|
|
func TestSanitizeQuoteEscaping(t *testing.T) {
|
|
tests := []string{
|
|
// Make sure quotes are transported correctly (different entities or
|
|
// unicode, but correct semantics)
|
|
"<p>Here are some "quotes".</p>\n",
|
|
"<p>Here are some "quotes".</p>\n",
|
|
|
|
"<p>Here are some “quotes”.</p>\n",
|
|
"<p>Here are some \u201Cquotes\u201D.</p>\n",
|
|
|
|
// Within a <script> tag, content gets parsed by the raw text parsing rules.
|
|
// This test makes sure we correctly disable those parsing rules and do not
|
|
// escape e.g. the closing </p>.
|
|
`Here are <script> some "quotes".`,
|
|
"<p>Here are <script> some "quotes".</p>\n",
|
|
|
|
// Same test for an unknown element that does not switch into raw mode.
|
|
`Here are <eviltag> some "quotes".`,
|
|
"<p>Here are <eviltag> some "quotes".</p>\n",
|
|
}
|
|
doTestsSanitize(t, tests)
|
|
}
|
|
|
|
func TestSanitizeSelfClosingTag(t *testing.T) {
|
|
tests := []string{
|
|
"<hr>\n",
|
|
"<hr>\n",
|
|
|
|
"<hr/>\n",
|
|
"<hr/>\n",
|
|
|
|
// Make sure that evil attributes are stripped for self closing tags.
|
|
"<hr onclick=\"evil()\"/>\n",
|
|
"<hr/>\n",
|
|
}
|
|
doTestsSanitize(t, tests)
|
|
}
|
|
|
|
func TestSanitizeInlineLink(t *testing.T) {
|
|
tests := []string{
|
|
"[link](javascript:evil)",
|
|
"<p><a>link</a></p>\n",
|
|
"[link](/abc)",
|
|
"<p><a href=\"/abc\">link</a></p>\n",
|
|
}
|
|
doTestsSanitize(t, tests)
|
|
}
|