X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;ds=sidebyside;f=test%2Fhtml_test.exs;h=7d37568844915adae8a6f95b8e100a1bae7760ad;hb=9c672ecbb5d4477cd16d2139a2cb66d3923ac5c8;hp=29cab17f3a7807ca8173f31d3023258aebea8bfb;hpb=89fbed88212657e3dcd4bbcb2c0718b07802037f;p=akkoma
diff --git a/test/html_test.exs b/test/html_test.exs
index 29cab17f3..7d3756884 100644
--- a/test/html_test.exs
+++ b/test/html_test.exs
@@ -1,31 +1,51 @@
# Pleroma: A lightweight social networking server
-# Copyright © 2017-2018 Pleroma Authors
+# Copyright © 2017-2020 Pleroma Authors
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.HTMLTest do
alias Pleroma.HTML
+ alias Pleroma.Object
+ alias Pleroma.Web.CommonAPI
use Pleroma.DataCase
+ import Pleroma.Factory
+
@html_sample """
this is in bold
this is a paragraph
this is a linebreak
+ this is a link with allowed "rel" attribute: example.com
+ this is a link with not allowed "rel" attribute: example.com
this is an image:
"""
@html_onerror_sample """
-
+
+ """
+
+ @html_span_class_sample """
+ hi
+ """
+
+ @html_span_microformats_sample """
+ @foo
+ """
+
+ @html_span_invalid_microformats_sample """
+ @foo
"""
describe "StripTags scrubber" do
test "works as expected" do
expected = """
- this is in bold
+ this is in bold
this is a paragraph
this is a linebreak
+ this is a link with allowed "rel" attribute: example.com
+ this is a link with not allowed "rel" attribute: example.com
this is an image:
- alert('hacked')
+ alert('hacked')
"""
assert expected == HTML.strip_tags(@html_sample)
@@ -41,11 +61,13 @@ defmodule Pleroma.HTMLTest do
describe "TwitterText scrubber" do
test "normalizes HTML as expected" do
expected = """
- this is in bold
+ this is in bold
this is a paragraph
- this is a linebreak
- this is an image:
- alert('hacked')
+ this is a linebreak
+ this is a link with allowed "rel" attribute: example.com
+ this is a link with not allowed "rel" attribute: example.com
+ this is an image:
+ alert('hacked')
"""
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
@@ -53,21 +75,53 @@ defmodule Pleroma.HTMLTest do
test "does not allow attribute-based XSS" do
expected = """
-
+
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ hi
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ @foo
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ @foo
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.TwitterText
+ )
+ end
end
describe "default scrubber" do
test "normalizes HTML as expected" do
expected = """
- this is in bold
+ this is in bold
this is a paragraph
- this is a linebreak
- this is an image:
- alert('hacked')
+ this is a linebreak
+ this is a link with allowed "rel" attribute: example.com
+ this is a link with not allowed "rel" attribute: example.com
+ this is an image:
+ alert('hacked')
"""
assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
@@ -75,10 +129,127 @@ defmodule Pleroma.HTMLTest do
test "does not allow attribute-based XSS" do
expected = """
-
+
"""
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ hi
+ """
+
+ assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ @foo
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ @foo
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.Default
+ )
+ end
+ end
+
+ describe "extract_first_external_url_from_object" do
+ test "extracts the url" do
+ user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ status:
+ "I think I just found the best github repo https://github.com/komeiji-satori/Dress"
+ })
+
+ object = Object.normalize(activity)
+ {:ok, url} = HTML.extract_first_external_url_from_object(object)
+ assert url == "https://github.com/komeiji-satori/Dress"
+ end
+
+ test "skips mentions" do
+ user = insert(:user)
+ other_user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ status:
+ "@#{other_user.nickname} install misskey! https://github.com/syuilo/misskey/blob/develop/docs/setup.en.md"
+ })
+
+ object = Object.normalize(activity)
+ {:ok, url} = HTML.extract_first_external_url_from_object(object)
+
+ assert url == "https://github.com/syuilo/misskey/blob/develop/docs/setup.en.md"
+
+ refute url == other_user.ap_id
+ end
+
+ test "skips hashtags" do
+ user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ status: "#cofe https://www.pixiv.net/member_illust.php?mode=medium&illust_id=72255140"
+ })
+
+ object = Object.normalize(activity)
+ {:ok, url} = HTML.extract_first_external_url_from_object(object)
+
+ assert url == "https://www.pixiv.net/member_illust.php?mode=medium&illust_id=72255140"
+ end
+
+ test "skips microformats hashtags" do
+ user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ status:
+ "#cofe https://www.pixiv.net/member_illust.php?mode=medium&illust_id=72255140",
+ content_type: "text/html"
+ })
+
+ object = Object.normalize(activity)
+ {:ok, url} = HTML.extract_first_external_url_from_object(object)
+
+ assert url == "https://www.pixiv.net/member_illust.php?mode=medium&illust_id=72255140"
+ end
+
+ test "does not crash when there is an HTML entity in a link" do
+ user = insert(:user)
+
+ {:ok, activity} = CommonAPI.post(user, %{status: "\"http://cofe.com/?boomer=ok&foo=bar\""})
+
+ object = Object.normalize(activity)
+
+ assert {:ok, nil} = HTML.extract_first_external_url_from_object(object)
+ end
+
+ test "skips attachment links" do
+ user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ status:
+ "image.png"
+ })
+
+ object = Object.normalize(activity)
+
+ assert {:ok, nil} = HTML.extract_first_external_url_from_object(object)
+ end
end
end