html: lock down allowed class attributes to only those related to microformats
[akkoma] / test / html_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.HTMLTest do
6 alias Pleroma.HTML
7 use Pleroma.DataCase
8
9 @html_sample """
10 <b>this is in bold</b>
11 <p>this is a paragraph</p>
12 this is a linebreak<br />
13 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
14 this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
15 this is an image: <img src="http://example.com/image.jpg"><br />
16 <script>alert('hacked')</script>
17 """
18
19 @html_onerror_sample """
20 <img src="http://example.com/image.jpg" onerror="alert('hacked')">
21 """
22
23 @html_span_class_sample """
24 <span class="animate-spin">hi</span>
25 """
26
27 @html_span_microformats_sample """
28 <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
29 """
30
31 @html_span_invalid_microformats_sample """
32 <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
33 """
34
35 describe "StripTags scrubber" do
36 test "works as expected" do
37 expected = """
38 this is in bold
39 this is a paragraph
40 this is a linebreak
41 this is a link with allowed "rel" attribute: example.com
42 this is a link with not allowed "rel" attribute: example.com
43 this is an image:
44 alert('hacked')
45 """
46
47 assert expected == HTML.strip_tags(@html_sample)
48 end
49
50 test "does not allow attribute-based XSS" do
51 expected = "\n"
52
53 assert expected == HTML.strip_tags(@html_onerror_sample)
54 end
55 end
56
57 describe "TwitterText scrubber" do
58 test "normalizes HTML as expected" do
59 expected = """
60 this is in bold
61 <p>this is a paragraph</p>
62 this is a linebreak<br />
63 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
64 this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
65 this is an image: <img src="http://example.com/image.jpg" /><br />
66 alert('hacked')
67 """
68
69 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
70 end
71
72 test "does not allow attribute-based XSS" do
73 expected = """
74 <img src="http://example.com/image.jpg" />
75 """
76
77 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
78 end
79
80 test "does not allow spans with invalid classes" do
81 expected = """
82 <span>hi</span>
83 """
84
85 assert expected ==
86 HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
87 end
88
89 test "does allow microformats" do
90 expected = """
91 <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
92 """
93
94 assert expected ==
95 HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
96 end
97
98 test "filters invalid microformats markup" do
99 expected = """
100 <span class="h-card"><a>@<span>foo</span></a></span>
101 """
102
103 assert expected ==
104 HTML.filter_tags(
105 @html_span_invalid_microformats_sample,
106 Pleroma.HTML.Scrubber.TwitterText
107 )
108 end
109 end
110
111 describe "default scrubber" do
112 test "normalizes HTML as expected" do
113 expected = """
114 <b>this is in bold</b>
115 <p>this is a paragraph</p>
116 this is a linebreak<br />
117 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
118 this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
119 this is an image: <img src="http://example.com/image.jpg" /><br />
120 alert('hacked')
121 """
122
123 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
124 end
125
126 test "does not allow attribute-based XSS" do
127 expected = """
128 <img src="http://example.com/image.jpg" />
129 """
130
131 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
132 end
133
134 test "does not allow spans with invalid classes" do
135 expected = """
136 <span>hi</span>
137 """
138
139 assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
140 end
141
142 test "does allow microformats" do
143 expected = """
144 <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
145 """
146
147 assert expected ==
148 HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
149 end
150
151 test "filters invalid microformats markup" do
152 expected = """
153 <span class="h-card"><a>@<span>foo</span></a></span>
154 """
155
156 assert expected ==
157 HTML.filter_tags(
158 @html_span_invalid_microformats_sample,
159 Pleroma.HTML.Scrubber.Default
160 )
161 end
162 end
163 end