From 2bbced212e2ee93948c45360fee00b2e3f960392 Mon Sep 17 00:00:00 2001 From: Misko Hevery Date: Fri, 3 Dec 2010 15:42:11 -0800 Subject: Fix sanitization issues as suggested by evn --- test/sanitizerSpec.js | 65 ++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 11 deletions(-) (limited to 'test/sanitizerSpec.js') diff --git a/test/sanitizerSpec.js b/test/sanitizerSpec.js index 88da693d..3ad6c1c9 100644 --- a/test/sanitizerSpec.js +++ b/test/sanitizerSpec.js @@ -33,7 +33,7 @@ describe('HTML', function(){ expectHTML('ailc.').toEqual('ac.'); }); - it('should remove unknown tag names', function(){ + it('should remove unknown names', function(){ expectHTML('abc').toEqual('abc'); }); @@ -50,21 +50,33 @@ describe('HTML', function(){ }); it('should handle entities', function(){ - var everything = '
' + + var everything = '
' + '!@#$%^&*()_+-={}[]:";\'<>?,./`~ ħ
'; expectHTML(everything).toEqual(everything); }); it('should handle improper html', function(){ - expectHTML('< div id="
" alt=abc dir=\'"\' >text< /div>'). - toEqual('
text
'); + expectHTML('< div rel="" alt=abc dir=\'"\' >text< /div>'). + toEqual('
text
'); }); it('should handle improper html2', function(){ - expectHTML('< div id="" / >'). - toEqual('
'); + expectHTML('< div rel="
" / >'). + toEqual('
'); }); - + + it('should ignore back slash as escape', function(){ + expectHTML('xxx\\'). + toEqual('xxx\\'); + }); + + it('should ignore object attributes', function(){ + expectHTML(':)'). + toEqual(':)'); + expectHTML(':)'). + toEqual(''); + }); + describe('htmlSanitizerWriter', function(){ var writer, html; beforeEach(function(){ @@ -74,12 +86,12 @@ describe('HTML', function(){ it('should write basic HTML', function(){ writer.chars('before'); - writer.start('div', {id:'123'}, false); + writer.start('div', {rel:'123'}, false); writer.chars('in'); writer.end('div'); writer.chars('after'); - expect(html).toEqual('before
in
after'); + expect(html).toEqual('before
in
after'); }); it('should escape text nodes', function(){ @@ -93,8 +105,8 @@ describe('HTML', function(){ }); it('should escape attributes', function(){ - writer.start('div', {id:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'}); - expect(html).toEqual('
'); + writer.start('div', {rel:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'}); + expect(html).toEqual('
'); }); it('should ignore missformed elements', function(){ @@ -107,6 +119,37 @@ describe('HTML', function(){ expect(html).toEqual('
'); }); + describe('explicitly dissallow', function(){ + it('should not allow attributes', function(){ + writer.start('div', {id:'a', name:'a', style:'a'}); + expect(html).toEqual('
'); + }); + + it('should not allow tags', function(){ + function tag(name) { + writer.start(name, {}); + writer.end(name); + }; + tag('frameset'); + tag('frame'); + tag('form'); + tag('param'); + tag('object'); + tag('embed'); + tag('textarea'); + tag('input'); + tag('button'); + tag('option'); + tag('select'); + tag('script'); + tag('style'); + tag('link'); + tag('base'); + tag('basefont'); + expect(html).toEqual(''); + }); + }); + describe('isUri', function(){ function isUri(value) { -- cgit v1.2.3