1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.HTMLTest do
10 <b>this is in bold</b>
11 <p>this is a paragraph</p>
12 this is a linebreak<br />
13 this is an image: <img src="http://example.com/image.jpg"><br />
14 <script>alert('hacked')</script>
17 @html_onerror_sample """
18 <img src="http://example.com/image.jpg" onerror="alert('hacked')">
21 describe "StripTags scrubber" do
22 test "works as expected" do
31 assert expected == HTML.strip_tags(@html_sample)
34 test "does not allow attribute-based XSS" do
37 assert expected == HTML.strip_tags(@html_onerror_sample)
41 describe "TwitterText scrubber" do
42 test "normalizes HTML as expected" do
45 <p>this is a paragraph</p>
46 this is a linebreak<br />
47 this is an image: <img src="http://example.com/image.jpg" /><br />
51 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
54 test "does not allow attribute-based XSS" do
56 <img src="http://example.com/image.jpg" />
59 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
63 describe "default scrubber" do
64 test "normalizes HTML as expected" do
66 <b>this is in bold</b>
67 <p>this is a paragraph</p>
68 this is a linebreak<br />
69 this is an image: <img src="http://example.com/image.jpg" /><br />
73 assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
76 test "does not allow attribute-based XSS" do
78 <img src="http://example.com/image.jpg" />
81 assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)