git.squeep.com Git - akkoma/blob - test/html_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.HTMLTest do
   6   alias Pleroma.HTML
   7   use Pleroma.DataCase
   8
   9   @html_sample """
  10     <b>this is in bold</b>
  11     <p>this is a paragraph</p>
  12     this is a linebreak<br />
  13     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
  14     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
  15     this is an image: <img src="http://example.com/image.jpg"><br />
  16     <script>alert('hacked')</script>
  17   """
  18
  19   @html_onerror_sample """
  20     <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  21   """
  22
  23   describe "StripTags scrubber" do
  24     test "works as expected" do
  25       expected = """
  26       this is in bold
  27         this is a paragraph
  28         this is a linebreak
  29         this is a link with allowed "rel" attribute: example.com
  30         this is a link with not allowed "rel" attribute: example.com
  31         this is an image:
  32         alert('hacked')
  33       """
  34
  35       assert expected == HTML.strip_tags(@html_sample)
  36     end
  37
  38     test "does not allow attribute-based XSS" do
  39       expected = "\n"
  40
  41       assert expected == HTML.strip_tags(@html_onerror_sample)
  42     end
  43   end
  44
  45   describe "TwitterText scrubber" do
  46     test "normalizes HTML as expected" do
  47       expected = """
  48       this is in bold
  49         <p>this is a paragraph</p>
  50         this is a linebreak<br />
  51         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
  52         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
  53         this is an image: <img src="http://example.com/image.jpg" /><br />
  54         alert('hacked')
  55       """
  56
  57       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
  58     end
  59
  60     test "does not allow attribute-based XSS" do
  61       expected = """
  62       <img src="http://example.com/image.jpg" />
  63       """
  64
  65       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
  66     end
  67   end
  68
  69   describe "default scrubber" do
  70     test "normalizes HTML as expected" do
  71       expected = """
  72       <b>this is in bold</b>
  73         <p>this is a paragraph</p>
  74         this is a linebreak<br />
  75         this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
  76         this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
  77         this is an image: <img src="http://example.com/image.jpg" /><br />
  78         alert('hacked')
  79       """
  80
  81       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
  82     end
  83
  84     test "does not allow attribute-based XSS" do
  85       expected = """
  86       <img src="http://example.com/image.jpg" />
  87       """
  88
  89       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
  90     end
  91   end
  92 end