+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
defmodule Pleroma.HTMLTest do
alias Pleroma.HTML
use Pleroma.DataCase
<b>this is in bold</b>
<p>this is a paragraph</p>
this is a linebreak<br />
+ this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
+ this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
this is an image: <img src="http://example.com/image.jpg"><br />
<script>alert('hacked')</script>
"""
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
"""
+ @html_span_class_sample """
+ <span class="animate-spin">hi</span>
+ """
+
+ @html_span_microformats_sample """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ @html_span_invalid_microformats_sample """
+ <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
+ """
+
describe "StripTags scrubber" do
test "works as expected" do
expected = """
this is in bold
this is a paragraph
this is a linebreak
+ this is a link with allowed "rel" attribute: example.com
+ this is a link with not allowed "rel" attribute: example.com
this is an image:
alert('hacked')
"""
this is in bold
<p>this is a paragraph</p>
this is a linebreak<br />
+ this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
+ this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
this is an image: <img src="http://example.com/image.jpg" /><br />
alert('hacked')
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ <span>hi</span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ <span class="h-card"><a>@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.TwitterText
+ )
+ end
end
describe "default scrubber" do
<b>this is in bold</b>
<p>this is a paragraph</p>
this is a linebreak<br />
+ this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
+ this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
this is an image: <img src="http://example.com/image.jpg" /><br />
alert('hacked')
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ <span>hi</span>
+ """
+
+ assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ <span class="h-card"><a>@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.Default
+ )
+ end
end
end
projects / akkoma / blobdiff