git.squeep.com Git - akkoma/blob - test/html_test.exs

   1 defmodule Pleroma.HTMLTest do
   2   alias Pleroma.HTML
   3   use Pleroma.DataCase
   4
   5   @html_sample """
   6     <b>this is in bold</b>
   7     <p>this is a paragraph</p>
   8     this is a linebreak<br />
   9     this is an image: <img src="http://example.com/image.jpg"><br />
  10     <script>alert('hacked')</script>
  11   """
  12
  13   @html_onerror_sample """
  14     <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  15   """
  16
  17   describe "StripTags scrubber" do
  18     test "works as expected" do
  19       expected = """
  20       this is in bold
  21         this is a paragraph
  22         this is a linebreak
  23         this is an image:
  24         alert('hacked')
  25       """
  26
  27       assert expected == HTML.strip_tags(@html_sample)
  28     end
  29
  30     test "does not allow attribute-based XSS" do
  31       expected = "\n"
  32
  33       assert expected == HTML.strip_tags(@html_onerror_sample)
  34     end
  35   end
  36
  37   describe "TwitterText scrubber" do
  38     test "normalizes HTML as expected" do
  39       expected = """
  40       this is in bold
  41         <p>this is a paragraph</p>
  42         this is a linebreak<br />
  43         this is an image: <img src="http://example.com/image.jpg" /><br />
  44         alert('hacked')
  45       """
  46
  47       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
  48     end
  49
  50     test "does not allow attribute-based XSS" do
  51       expected = """
  52       <img src="http://example.com/image.jpg" />
  53       """
  54
  55       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
  56     end
  57   end
  58
  59   describe "default scrubber" do
  60     test "normalizes HTML as expected" do
  61       expected = """
  62       <b>this is in bold</b>
  63         <p>this is a paragraph</p>
  64         this is a linebreak<br />
  65         this is an image: <img src="http://example.com/image.jpg" /><br />
  66         alert('hacked')
  67       """
  68
  69       assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
  70     end
  71
  72     test "does not allow attribute-based XSS" do
  73       expected = """
  74       <img src="http://example.com/image.jpg" />
  75       """
  76
  77       assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
  78     end
  79   end
  80 end