diff options
| author | Misko Hevery | 2010-11-23 20:10:05 -0800 |
|---|---|---|
| committer | Misko Hevery | 2010-11-29 21:55:32 -0800 |
| commit | 41d5938883a3d06ffe8a88a51efd8d1896f7d747 (patch) | |
| tree | a80f013e6d69a2162e2933559ed671b71121df5b /test | |
| parent | 5480d2a80b7a6bafe7541d99eb53fd35fdd8faac (diff) | |
| download | angular.js-41d5938883a3d06ffe8a88a51efd8d1896f7d747.tar.bz2 | |
Fixed sanitization
* explicitly require full URLs (ftp|https?://...)
* list the URI attributes
* remove a lot of unneeded attributes
Diffstat (limited to 'test')
| -rw-r--r-- | test/sanitizerSpec.js | 49 |
1 files changed, 35 insertions, 14 deletions
diff --git a/test/sanitizerSpec.js b/test/sanitizerSpec.js index 4e1ff355..88da693d 100644 --- a/test/sanitizerSpec.js +++ b/test/sanitizerSpec.js @@ -6,7 +6,7 @@ describe('HTML', function(){ it('should echo html', function(){ expectHTML('hello<b class="1\'23" align=\'""\'>world</b>.'). - toEqual('hello<b class="1\'23" align="""">world</b>.'); + toEqual('hello<b class="1\'23" align="""">world</b>.'); }); it('should remove script', function(){ @@ -49,9 +49,15 @@ describe('HTML', function(){ expectHTML('a<my:hr/><my:div>b</my:div>c').toEqual('abc'); }); + it('should handle entities', function(){ + var everything = '<div id="!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ">' + + '!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ</div>'; + expectHTML(everything).toEqual(everything); + }); + it('should handle improper html', function(){ - expectHTML('< div id="</div>" alt=abc href=\'"\' >text< /div>'). - toEqual('<div id="</div>" alt="abc" href=""">text</div>'); + expectHTML('< div id="</div>" alt=abc dir=\'"\' >text< /div>'). + toEqual('<div id="</div>" alt="abc" dir=""">text</div>'); }); it('should handle improper html2', function(){ @@ -81,19 +87,14 @@ describe('HTML', function(){ expect(html).toEqual('a<div>&</div>c'); }); - it('should not double escape entities', function(){ - writer.chars(' ><'); - expect(html).toEqual(' ><'); - }); - it('should escape IE script', function(){ - writer.chars('&{}'); - expect(html).toEqual('&{}'); + writer.chars('&<>{}'); + expect(html).toEqual('&<>{}'); }); it('should escape attributes', function(){ - writer.start('div', {id:'\"\'<>'}); - expect(html).toEqual('<div id=""\'<>">'); + writer.start('div', {id:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'}); + expect(html).toEqual('<div id="!@#$%^&*()_+-={}[]:";\'<>?,./`~ � ħ">'); }); it('should ignore missformed elements', function(){ @@ -105,12 +106,32 @@ describe('HTML', function(){ writer.start('div', {unknown:""}); expect(html).toEqual('<div>'); }); + + describe('isUri', function(){ + + function isUri(value) { + return value.match(URI_REGEXP); + } + + it('should be URI', function(){ + expect(isUri('http://abc')).toBeTruthy(); + expect(isUri('https://abc')).toBeTruthy(); + expect(isUri('ftp://abc')).toBeTruthy(); + expect(isUri('mailto:me@example.com')).toBeTruthy(); + expect(isUri('#anchor')).toBeTruthy(); + }); + + it('should not be UIR', function(){ + expect(isUri('')).toBeFalsy(); + expect(isUri('javascript:alert')).toBeFalsy(); + }); + }); describe('javascript URL attribute', function(){ beforeEach(function(){ this.addMatchers({ toBeValidUrl: function(){ - return !isJavaScriptUrl(this.actual); + return URI_REGEXP.exec(this.actual); } }); }); @@ -118,7 +139,7 @@ describe('HTML', function(){ it('should ignore javascript:', function(){ expect('JavaScript:abc').not.toBeValidUrl(); expect(' \n Java\n Script:abc').not.toBeValidUrl(); - expect('JavaScript/my.js').toBeValidUrl(); + expect('http://JavaScript/my.js').toBeValidUrl(); }); it('should ignore dec encoded javascript:', function(){ |