git.squeep.com Git - akkoma/blob - test/html_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.HTMLTest do
   6   alias Pleroma.HTML
   7   use Pleroma.DataCase
   8
   9   @html_sample """
  10     <b>this is in bold</b>
  11     <p>this is a paragraph</p>
  12     this is a linebreak<br />
  13     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
  14     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
  15     this is an image: <img src="http://example.com/image.jpg"><br />
  16     <script>alert('hacked')</script>
  17   """
  18
  19   @html_onerror_sample """
  20     <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  21   """
  22
  23   @html_span_class_sample """
  24     <span class="animate-spin">hi</span>
  25   """
  26
  27   @html_span_microformats_sample """
  28     <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
  29   """
  30
  31   @html_span_invalid_microformats_sample """
  32     <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
  33   """
  34
  35   describe "StripTags scrubber" do
  36     test "works as expected" do
  37       expected = """
  38       this is in bold
  39         this is a paragraph
  40         this is a linebreak
  41         this is a link with allowed "rel" attribute: example.com
  42         this is a link with not allowed "rel" attribute: example.com
  43         this is an image:
  44         alert('hacked')
  45       """
  46
  47       assert expected == HTML.strip_tags(@html_sample)
  48     end
  49
  50     test "does not allow attribute-based XSS" do
  51       expected = "\n"
  52
  53       assert expected == HTML.strip_tags(@html_onerror_sample)
  54     end
  55   end
  56
  57   describe "TwitterText scrubber" do
  58     test "normalizes HTML as expected" do
  59       expected = """
  60       this is in bold
  61         <p>this is a paragraph</p>
  62         this is a linebreak<br />
  63         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
  64         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
  65         this is an image: <img src="http://example.com/image.jpg" /><br />
  66         alert('hacked')
  67       """
  68
  69       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
  70     end
  71
  72     test "does not allow attribute-based XSS" do
  73       expected = """
  74       <img src="http://example.com/image.jpg" />
  75       """
  76
  77       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
  78     end
  79
  80     test "does not allow spans with invalid classes" do
  81       expected = """
  82       <span>hi</span>
  83       """
  84
  85       assert expected ==
  86                HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
  87     end
  88
  89     test "does allow microformats" do
  90       expected = """
  91       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
  92       """
  93
  94       assert expected ==
  95                HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
  96     end
  97
  98     test "filters invalid microformats markup" do
  99       expected = """
 100       <span class="h-card"><a>@<span>foo</span></a></span>
 101       """
 102
 103       assert expected ==
 104                HTML.filter_tags(
 105                  @html_span_invalid_microformats_sample,
 106                  Pleroma.HTML.Scrubber.TwitterText
 107                )
 108     end
 109   end
 110
 111   describe "default scrubber" do
 112     test "normalizes HTML as expected" do
 113       expected = """
 114       <b>this is in bold</b>
 115         <p>this is a paragraph</p>
 116         this is a linebreak<br />
 117         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
 118         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
 119         this is an image: <img src="http://example.com/image.jpg" /><br />
 120         alert('hacked')
 121       """
 122
 123       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
 124     end
 125
 126     test "does not allow attribute-based XSS" do
 127       expected = """
 128       <img src="http://example.com/image.jpg" />
 129       """
 130
 131       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
 132     end
 133
 134     test "does not allow spans with invalid classes" do
 135       expected = """
 136       <span>hi</span>
 137       """
 138
 139       assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
 140     end
 141
 142     test "does allow microformats" do
 143       expected = """
 144       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
 145       """
 146
 147       assert expected ==
 148                HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
 149     end
 150
 151     test "filters invalid microformats markup" do
 152       expected = """
 153       <span class="h-card"><a>@<span>foo</span></a></span>
 154       """
 155
 156       assert expected ==
 157                HTML.filter_tags(
 158                  @html_span_invalid_microformats_sample,
 159                  Pleroma.HTML.Scrubber.Default
 160                )
 161     end
 162   end
 163 end