1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.HTMLTest do
10 <b>this is in bold</b>
11 <p>this is a paragraph</p>
12 this is a linebreak<br />
13 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
14 this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
15 this is an image: <img src="http://example.com/image.jpg"><br />
16 <script>alert('hacked')</script>
19 @html_onerror_sample """
20 <img src="http://example.com/image.jpg" onerror="alert('hacked')">
23 describe "StripTags scrubber" do
24 test "works as expected" do
29 this is a link with allowed "rel" attribute: example.com
30 this is a link with not allowed "rel" attribute: example.com
35 assert expected == HTML.strip_tags(@html_sample)
38 test "does not allow attribute-based XSS" do
41 assert expected == HTML.strip_tags(@html_onerror_sample)
45 describe "TwitterText scrubber" do
46 test "normalizes HTML as expected" do
49 <p>this is a paragraph</p>
50 this is a linebreak<br />
51 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
52 this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
53 this is an image: <img src="http://example.com/image.jpg" /><br />
57 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
60 test "does not allow attribute-based XSS" do
62 <img src="http://example.com/image.jpg" />
65 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
69 describe "default scrubber" do
70 test "normalizes HTML as expected" do
72 <b>this is in bold</b>
73 <p>this is a paragraph</p>
74 this is a linebreak<br />
75 this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
76 this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
77 this is an image: <img src="http://example.com/image.jpg" /><br />
81 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
84 test "does not allow attribute-based XSS" do
86 <img src="http://example.com/image.jpg" />
89 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)