diff options
| author | Misko Hevery | 2010-12-03 15:42:11 -0800 |
|---|---|---|
| committer | Misko Hevery | 2010-12-03 15:42:42 -0800 |
| commit | 2bbced212e2ee93948c45360fee00b2e3f960392 (patch) | |
| tree | a42ea9b49c42c37b9f8e42fa0fc4bf1fb906f948 /test | |
| parent | 5a8ad8fe329fc09898ff43a060710265d38393be (diff) | |
| download | angular.js-2bbced212e2ee93948c45360fee00b2e3f960392.tar.bz2 | |
Fix sanitization issues as suggested by evn
Diffstat (limited to 'test')
| -rw-r--r-- | test/sanitizerSpec.js | 65 |
1 files changed, 54 insertions, 11 deletions
diff --git a/test/sanitizerSpec.js b/test/sanitizerSpec.js index 88da693d..3ad6c1c9 100644 --- a/test/sanitizerSpec.js +++ b/test/sanitizerSpec.js @@ -33,7 +33,7 @@ describe('HTML', function(){ expectHTML('a<SCRIPT>ev<script>evil</sCript>il</scrIpt>c.').toEqual('ac.'); }); - it('should remove unknown tag names', function(){ + it('should remove unknown names', function(){ expectHTML('a<xxx><B>b</B></xxx>c').toEqual('a<b>b</b>c'); }); @@ -50,21 +50,33 @@ describe('HTML', function(){ }); it('should handle entities', function(){ - var everything = '<div id="!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ">' + + var everything = '<div rel="!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ">' + '!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ</div>'; expectHTML(everything).toEqual(everything); }); it('should handle improper html', function(){ - expectHTML('< div id="</div>" alt=abc dir=\'"\' >text< /div>'). - toEqual('<div id="</div>" alt="abc" dir=""">text</div>'); + expectHTML('< div rel="</div>" alt=abc dir=\'"\' >text< /div>'). + toEqual('<div rel="</div>" alt="abc" dir=""">text</div>'); }); it('should handle improper html2', function(){ - expectHTML('< div id="</div>" / >'). - toEqual('<div id="</div>"/>'); + expectHTML('< div rel="</div>" / >'). + toEqual('<div rel="</div>"/>'); }); - + + it('should ignore back slash as escape', function(){ + expectHTML('<img alt="xxx\\" title="><script>....">'). + toEqual('<img alt="xxx\\" title="><script>...."/>'); + }); + + it('should ignore object attributes', function(){ + expectHTML('<a constructor="hola">:)</a>'). + toEqual('<a>:)</a>'); + expectHTML('<constructor constructor="hola">:)</constructor>'). + toEqual(''); + }); + describe('htmlSanitizerWriter', function(){ var writer, html; beforeEach(function(){ @@ -74,12 +86,12 @@ describe('HTML', function(){ it('should write basic HTML', function(){ writer.chars('before'); - writer.start('div', {id:'123'}, false); + writer.start('div', {rel:'123'}, false); writer.chars('in'); writer.end('div'); writer.chars('after'); - expect(html).toEqual('before<div id="123">in</div>after'); + expect(html).toEqual('before<div rel="123">in</div>after'); }); it('should escape text nodes', function(){ @@ -93,8 +105,8 @@ describe('HTML', function(){ }); it('should escape attributes', function(){ - writer.start('div', {id:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'}); - expect(html).toEqual('<div id="!@#$%^&*()_+-={}[]:";\'<>?,./`~ � ħ">'); + writer.start('div', {rel:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'}); + expect(html).toEqual('<div rel="!@#$%^&*()_+-={}[]:";\'<>?,./`~ � ħ">'); }); it('should ignore missformed elements', function(){ @@ -107,6 +119,37 @@ describe('HTML', function(){ expect(html).toEqual('<div>'); }); + describe('explicitly dissallow', function(){ + it('should not allow attributes', function(){ + writer.start('div', {id:'a', name:'a', style:'a'}); + expect(html).toEqual('<div>'); + }); + + it('should not allow tags', function(){ + function tag(name) { + writer.start(name, {}); + writer.end(name); + }; + tag('frameset'); + tag('frame'); + tag('form'); + tag('param'); + tag('object'); + tag('embed'); + tag('textarea'); + tag('input'); + tag('button'); + tag('option'); + tag('select'); + tag('script'); + tag('style'); + tag('link'); + tag('base'); + tag('basefont'); + expect(html).toEqual(''); + }); + }); + describe('isUri', function(){ function isUri(value) { |