mirror of
https://github.com/schollz/cowyo.git
synced 2023-08-10 21:13:00 +03:00
1509 lines
49 KiB
Go
1509 lines
49 KiB
Go
// Copyright (c) 2014, David Kitchen <david@buro9.com>
|
|
//
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// * Redistributions of source code must retain the above copyright notice, this
|
|
// list of conditions and the following disclaimer.
|
|
//
|
|
// * Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// * Neither the name of the organisation (Microcosm) nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
package bluemonday
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"net/url"
|
|
"regexp"
|
|
"strings"
|
|
"sync"
|
|
"testing"
|
|
)
|
|
|
|
// test is a simple input vs output struct used to construct a slice of many
|
|
// tests to run within a single test method.
|
|
type test struct {
|
|
in string
|
|
expected string
|
|
}
|
|
|
|
func TestEmpty(t *testing.T) {
|
|
p := StrictPolicy()
|
|
|
|
if "" != p.Sanitize(``) {
|
|
t.Error("Empty string is not empty")
|
|
}
|
|
}
|
|
|
|
func TestSignatureBehaviour(t *testing.T) {
|
|
// https://github.com/microcosm-cc/bluemonday/issues/8
|
|
p := UGCPolicy()
|
|
|
|
input := "Hi.\n"
|
|
|
|
if output := p.Sanitize(input); output != input {
|
|
t.Errorf(`Sanitize() input = %s, output = %s`, input, output)
|
|
}
|
|
|
|
if output := string(p.SanitizeBytes([]byte(input))); output != input {
|
|
t.Errorf(`SanitizeBytes() input = %s, output = %s`, input, output)
|
|
}
|
|
|
|
if output := p.SanitizeReader(
|
|
strings.NewReader(input),
|
|
).String(); output != input {
|
|
|
|
t.Errorf(`SanitizeReader() input = %s, output = %s`, input, output)
|
|
}
|
|
|
|
input = "\t\n \n\t"
|
|
|
|
if output := p.Sanitize(input); output != input {
|
|
t.Errorf(`Sanitize() input = %s, output = %s`, input, output)
|
|
}
|
|
|
|
if output := string(p.SanitizeBytes([]byte(input))); output != input {
|
|
t.Errorf(`SanitizeBytes() input = %s, output = %s`, input, output)
|
|
}
|
|
|
|
if output := p.SanitizeReader(
|
|
strings.NewReader(input),
|
|
).String(); output != input {
|
|
|
|
t.Errorf(`SanitizeReader() input = %s, output = %s`, input, output)
|
|
}
|
|
}
|
|
|
|
func TestAllowDocType(t *testing.T) {
|
|
p := NewPolicy()
|
|
p.AllowElements("b")
|
|
|
|
in := "<!DOCTYPE html>Hello, <b>World</b>!"
|
|
expected := "Hello, <b>World</b>!"
|
|
|
|
out := p.Sanitize(in)
|
|
if out != expected {
|
|
t.Errorf(
|
|
"test 1 failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
in,
|
|
out,
|
|
expected,
|
|
)
|
|
}
|
|
|
|
// Allow the doctype and run the test again
|
|
p.AllowDocType(true)
|
|
|
|
expected = "<!DOCTYPE html>Hello, <b>World</b>!"
|
|
|
|
out = p.Sanitize(in)
|
|
if out != expected {
|
|
t.Errorf(
|
|
"test 1 failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
in,
|
|
out,
|
|
expected,
|
|
)
|
|
}
|
|
}
|
|
|
|
func TestLinks(t *testing.T) {
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<a href="http://www.google.com">`,
|
|
expected: `<a href="http://www.google.com" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<a href="//www.google.com">`,
|
|
expected: `<a href="//www.google.com" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<a href="/www.google.com">`,
|
|
expected: `<a href="/www.google.com" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<a href="www.google.com">`,
|
|
expected: `<a href="www.google.com" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<a href="javascript:alert(1)">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<a href="#">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<a href="#top">`,
|
|
expected: `<a href="#top" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<a href="?q=1">`,
|
|
expected: `<a href="?q=1" rel="nofollow">`,
|
|
},
|
|
{
|
|
in: `<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />`,
|
|
expected: `<img alt="Red dot"/>`,
|
|
},
|
|
{
|
|
in: `<img src="giraffe.gif" />`,
|
|
expected: `<img src="giraffe.gif"/>`,
|
|
},
|
|
}
|
|
|
|
p := UGCPolicy()
|
|
p.RequireParseableURLs(true)
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestLinkTargets(t *testing.T) {
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<a href="http://www.google.com">`,
|
|
expected: `<a href="http://www.google.com" rel="nofollow noopener" target="_blank">`,
|
|
},
|
|
{
|
|
in: `<a href="//www.google.com">`,
|
|
expected: `<a href="//www.google.com" rel="nofollow noopener" target="_blank">`,
|
|
},
|
|
{
|
|
in: `<a href="/www.google.com">`,
|
|
expected: `<a href="/www.google.com">`,
|
|
},
|
|
{
|
|
in: `<a href="www.google.com">`,
|
|
expected: `<a href="www.google.com">`,
|
|
},
|
|
{
|
|
in: `<a href="javascript:alert(1)">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<a href="#">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<a href="#top">`,
|
|
expected: `<a href="#top">`,
|
|
},
|
|
{
|
|
in: `<a href="?q=1">`,
|
|
expected: `<a href="?q=1">`,
|
|
},
|
|
{
|
|
in: `<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" alt="Red dot" />`,
|
|
expected: `<img alt="Red dot"/>`,
|
|
},
|
|
{
|
|
in: `<img src="giraffe.gif" />`,
|
|
expected: `<img src="giraffe.gif"/>`,
|
|
},
|
|
}
|
|
|
|
p := UGCPolicy()
|
|
p.RequireParseableURLs(true)
|
|
p.RequireNoFollowOnLinks(false)
|
|
p.RequireNoFollowOnFullyQualifiedLinks(true)
|
|
p.AddTargetBlankToFullyQualifiedLinks(true)
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestStyling(t *testing.T) {
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<span class="foo">Hello World</span>`,
|
|
expected: `<span class="foo">Hello World</span>`,
|
|
},
|
|
{
|
|
in: `<span class="foo bar654">Hello World</span>`,
|
|
expected: `<span class="foo bar654">Hello World</span>`,
|
|
},
|
|
}
|
|
|
|
p := UGCPolicy()
|
|
p.AllowStyling()
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestEmptyAttributes(t *testing.T) {
|
|
|
|
p := UGCPolicy()
|
|
// Do not do this, especially without a Matching() clause, this is a test
|
|
p.AllowAttrs("disabled").OnElements("textarea")
|
|
|
|
tests := []test{
|
|
// Empty elements
|
|
{
|
|
in: `<textarea>text</textarea><textarea disabled></textarea>` +
|
|
`<div onclick='redirect()'><span>Styled by span</span></div>`,
|
|
expected: `<textarea>text</textarea><textarea disabled=""></textarea>` +
|
|
`<div><span>Styled by span</span></div>`,
|
|
},
|
|
{
|
|
in: `foo<br />bar`,
|
|
expected: `foo<br/>bar`,
|
|
},
|
|
{
|
|
in: `foo<br/>bar`,
|
|
expected: `foo<br/>bar`,
|
|
},
|
|
{
|
|
in: `foo<br>bar`,
|
|
expected: `foo<br>bar`,
|
|
},
|
|
{
|
|
in: `foo<hr noshade>bar`,
|
|
expected: `foo<hr>bar`,
|
|
},
|
|
}
|
|
|
|
for ii, test := range tests {
|
|
out := p.Sanitize(test.in)
|
|
if out != test.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
test.in,
|
|
out,
|
|
test.expected,
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestDataUri(t *testing.T) {
|
|
|
|
p := UGCPolicy()
|
|
p.AllowURLSchemeWithCustomPolicy(
|
|
"data",
|
|
func(url *url.URL) (allowUrl bool) {
|
|
// Allows PNG images only
|
|
const prefix = "image/png;base64,"
|
|
if !strings.HasPrefix(url.Opaque, prefix) {
|
|
return false
|
|
}
|
|
if _, err := base64.StdEncoding.DecodeString(url.Opaque[len(prefix):]); err != nil {
|
|
return false
|
|
}
|
|
if url.RawQuery != "" || url.Fragment != "" {
|
|
return false
|
|
}
|
|
return true
|
|
},
|
|
)
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==">`,
|
|
expected: `<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==">`,
|
|
},
|
|
{
|
|
in: `<img src="data:text/javascript;charset=utf-8,alert('hi');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<img src="data:image/png;base64,charset=utf-8,alert('hi');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4-_8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==">`,
|
|
expected: ``,
|
|
},
|
|
}
|
|
|
|
for ii, test := range tests {
|
|
out := p.Sanitize(test.in)
|
|
if out != test.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
test.in,
|
|
out,
|
|
test.expected,
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAntiSamy(t *testing.T) {
|
|
|
|
standardUrls := regexp.MustCompile(`(?i)^https?|mailto`)
|
|
|
|
p := NewPolicy()
|
|
|
|
p.AllowElements(
|
|
"a", "b", "br", "div", "font", "i", "img", "input", "li", "ol", "p",
|
|
"span", "td", "ul",
|
|
)
|
|
p.AllowAttrs("checked", "type").OnElements("input")
|
|
p.AllowAttrs("color").OnElements("font")
|
|
p.AllowAttrs("href").Matching(standardUrls).OnElements("a")
|
|
p.AllowAttrs("src").Matching(standardUrls).OnElements("img")
|
|
p.AllowAttrs("class", "id", "title").Globally()
|
|
p.AllowAttrs("char").Matching(
|
|
regexp.MustCompile(`p{L}`), // Single character or HTML entity only
|
|
).OnElements("td")
|
|
|
|
tests := []test{
|
|
// Base64 strings
|
|
//
|
|
// first string is
|
|
// <a - href="http://www.owasp.org">click here</a>
|
|
{
|
|
in: `PGEgLSBocmVmPSJodHRwOi8vd3d3Lm93YXNwLm9yZyI+Y2xpY2sgaGVyZTwvYT4=`,
|
|
expected: `PGEgLSBocmVmPSJodHRwOi8vd3d3Lm93YXNwLm9yZyI+Y2xpY2sgaGVyZTwvYT4=`,
|
|
},
|
|
// the rest are randomly generated 300 byte sequences which generate
|
|
// parser errors, turned into Strings
|
|
{
|
|
in: `uz0sEy5aDiok6oufQRaYPyYOxbtlACRnfrOnUVIbOstiaoB95iw+dJYuO5sI9nudhRtSYLANlcdgO0pRb+65qKDwZ5o6GJRMWv4YajZk+7Q3W/GN295XmyWUpxuyPGVi7d5fhmtYaYNW6vxyKK1Wjn9IEhIrfvNNjtEF90vlERnz3wde4WMaKMeciqgDXuZHEApYmUcu6Wbx4Q6WcNDqohAN/qCli74tvC+Umy0ZsQGU7E+BvJJ1tLfMcSzYiz7Q15ByZOYrA2aa0wDu0no3gSatjGt6aB4h30D9xUP31LuPGZ2GdWwMfZbFcfRgDSh42JPwa1bODmt5cw0Y8ACeyrIbfk9IkX1bPpYfIgtO7TwuXjBbhh2EEixOZ2YkcsvmcOSVTvraChbxv6kP`,
|
|
expected: `uz0sEy5aDiok6oufQRaYPyYOxbtlACRnfrOnUVIbOstiaoB95iw+dJYuO5sI9nudhRtSYLANlcdgO0pRb+65qKDwZ5o6GJRMWv4YajZk+7Q3W/GN295XmyWUpxuyPGVi7d5fhmtYaYNW6vxyKK1Wjn9IEhIrfvNNjtEF90vlERnz3wde4WMaKMeciqgDXuZHEApYmUcu6Wbx4Q6WcNDqohAN/qCli74tvC+Umy0ZsQGU7E+BvJJ1tLfMcSzYiz7Q15ByZOYrA2aa0wDu0no3gSatjGt6aB4h30D9xUP31LuPGZ2GdWwMfZbFcfRgDSh42JPwa1bODmt5cw0Y8ACeyrIbfk9IkX1bPpYfIgtO7TwuXjBbhh2EEixOZ2YkcsvmcOSVTvraChbxv6kP`,
|
|
},
|
|
{
|
|
in: `PIWjMV4y+MpuNLtcY3vBRG4ZcNaCkB9wXJr3pghmFA6rVXAik+d5lei48TtnHvfvb5rQZVceWKv9cR/9IIsLokMyN0omkd8j3TV0DOh3JyBjPHFCu1Gp4Weo96h5C6RBoB0xsE4QdS2Y1sq/yiha9IebyHThAfnGU8AMC4AvZ7DDBccD2leZy2Q617ekz5grvxEG6tEcZ3fCbJn4leQVVo9MNoerim8KFHGloT+LxdgQR6YN5y1ii3bVGreM51S4TeANujdqJXp8B7B1Gk3PKCRS2T1SNFZedut45y+/w7wp5AUQCBUpIPUj6RLp+y3byWhcbZbJ70KOzTSZuYYIKLLo8047Fej43bIaghJm0F9yIKk3C5gtBcw8T5pciJoVXrTdBAK/8fMVo29P`,
|
|
expected: `PIWjMV4y+MpuNLtcY3vBRG4ZcNaCkB9wXJr3pghmFA6rVXAik+d5lei48TtnHvfvb5rQZVceWKv9cR/9IIsLokMyN0omkd8j3TV0DOh3JyBjPHFCu1Gp4Weo96h5C6RBoB0xsE4QdS2Y1sq/yiha9IebyHThAfnGU8AMC4AvZ7DDBccD2leZy2Q617ekz5grvxEG6tEcZ3fCbJn4leQVVo9MNoerim8KFHGloT+LxdgQR6YN5y1ii3bVGreM51S4TeANujdqJXp8B7B1Gk3PKCRS2T1SNFZedut45y+/w7wp5AUQCBUpIPUj6RLp+y3byWhcbZbJ70KOzTSZuYYIKLLo8047Fej43bIaghJm0F9yIKk3C5gtBcw8T5pciJoVXrTdBAK/8fMVo29P`,
|
|
},
|
|
{
|
|
in: `uCk7HocubT6KzJw2eXpSUItZFGkr7U+D89mJw70rxdqXP2JaG04SNjx3dd84G4bz+UVPPhPO2gBAx2vHI0xhgJG9T4vffAYh2D1kenmr+8gIHt6WDNeD+HwJeAbJYhfVFMJsTuIGlYIw8+I+TARK0vqjACyRwMDAndhXnDrk4E5U3hyjqS14XX0kIDZYM6FGFPXe/s+ba2886Q8o1a7WosgqqAmt4u6R3IHOvVf5/PIeZrBJKrVptxjdjelP8Xwjq2ujWNtR3/HM1kjRlJi4xedvMRe4Rlxek0NDLC9hNd18RYi0EjzQ0bGSDDl0813yv6s6tcT6xHMzKvDcUcFRkX6BbxmoIcMsVeHM/ur6yRv834o/TT5IdiM9/wpkuICFOWIfM+Y8OWhiU6BK`,
|
|
expected: `uCk7HocubT6KzJw2eXpSUItZFGkr7U+D89mJw70rxdqXP2JaG04SNjx3dd84G4bz+UVPPhPO2gBAx2vHI0xhgJG9T4vffAYh2D1kenmr+8gIHt6WDNeD+HwJeAbJYhfVFMJsTuIGlYIw8+I+TARK0vqjACyRwMDAndhXnDrk4E5U3hyjqS14XX0kIDZYM6FGFPXe/s+ba2886Q8o1a7WosgqqAmt4u6R3IHOvVf5/PIeZrBJKrVptxjdjelP8Xwjq2ujWNtR3/HM1kjRlJi4xedvMRe4Rlxek0NDLC9hNd18RYi0EjzQ0bGSDDl0813yv6s6tcT6xHMzKvDcUcFRkX6BbxmoIcMsVeHM/ur6yRv834o/TT5IdiM9/wpkuICFOWIfM+Y8OWhiU6BK`,
|
|
},
|
|
{
|
|
in: `Bb6Cqy6stJ0YhtPirRAQ8OXrPFKAeYHeuZXuC1qdHJRlweEzl4F2z/ZFG7hzr5NLZtzrRG3wm5TXl6Aua5G6v0WKcjJiS2V43WB8uY1BFK1d2y68c1gTRSF0u+VTThGjz+q/R6zE8HG8uchO+KPw64RehXDbPQ4uadiL+UwfZ4BzY1OHhvM5+2lVlibG+awtH6qzzx6zOWemTih932Lt9mMnm3FzEw7uGzPEYZ3aBV5xnbQ2a2N4UXIdm7RtIUiYFzHcLe5PZM/utJF8NdHKy0SPaKYkdXHli7g3tarzAabLZqLT4k7oemKYCn/eKRreZjqTB2E8Kc9Swf3jHDkmSvzOYE8wi1vQ3X7JtPcQ2O4muvpSa70NIE+XK1CgnnsL79Qzci1/1xgkBlNq`,
|
|
expected: `Bb6Cqy6stJ0YhtPirRAQ8OXrPFKAeYHeuZXuC1qdHJRlweEzl4F2z/ZFG7hzr5NLZtzrRG3wm5TXl6Aua5G6v0WKcjJiS2V43WB8uY1BFK1d2y68c1gTRSF0u+VTThGjz+q/R6zE8HG8uchO+KPw64RehXDbPQ4uadiL+UwfZ4BzY1OHhvM5+2lVlibG+awtH6qzzx6zOWemTih932Lt9mMnm3FzEw7uGzPEYZ3aBV5xnbQ2a2N4UXIdm7RtIUiYFzHcLe5PZM/utJF8NdHKy0SPaKYkdXHli7g3tarzAabLZqLT4k7oemKYCn/eKRreZjqTB2E8Kc9Swf3jHDkmSvzOYE8wi1vQ3X7JtPcQ2O4muvpSa70NIE+XK1CgnnsL79Qzci1/1xgkBlNq`,
|
|
},
|
|
{
|
|
in: `FZNVr4nOICD1cNfAvQwZvZWi+P4I2Gubzrt+wK+7gLEY144BosgKeK7snwlA/vJjPAnkFW72APTBjY6kk4EOyoUef0MxRnZEU11vby5Ru19eixZBFB/SVXDJleLK0z3zXXE8U5Zl5RzLActHakG8Psvdt8TDscQc4MPZ1K7mXDhi7FQdpjRTwVxFyCFoybQ9WNJNGPsAkkm84NtFb4KjGpwVC70oq87tM2gYCrNgMhBfdBl0bnQHoNBCp76RKdpq1UAY01t1ipfgt7BoaAr0eTw1S32DezjfkAz04WyPTzkdBKd3b44rX9dXEbm6szAz0SjgztRPDJKSMELjq16W2Ua8d1AHq2Dz8JlsvGzi2jICUjpFsIfRmQ/STSvOT8VsaCFhwL1zDLbn5jCr`,
|
|
expected: `FZNVr4nOICD1cNfAvQwZvZWi+P4I2Gubzrt+wK+7gLEY144BosgKeK7snwlA/vJjPAnkFW72APTBjY6kk4EOyoUef0MxRnZEU11vby5Ru19eixZBFB/SVXDJleLK0z3zXXE8U5Zl5RzLActHakG8Psvdt8TDscQc4MPZ1K7mXDhi7FQdpjRTwVxFyCFoybQ9WNJNGPsAkkm84NtFb4KjGpwVC70oq87tM2gYCrNgMhBfdBl0bnQHoNBCp76RKdpq1UAY01t1ipfgt7BoaAr0eTw1S32DezjfkAz04WyPTzkdBKd3b44rX9dXEbm6szAz0SjgztRPDJKSMELjq16W2Ua8d1AHq2Dz8JlsvGzi2jICUjpFsIfRmQ/STSvOT8VsaCFhwL1zDLbn5jCr`,
|
|
},
|
|
{
|
|
in: `RuiRkvYjH2FcCjNzFPT2PJWh7Q6vUbfMadMIEnw49GvzTmhk4OUFyjY13GL52JVyqdyFrnpgEOtXiTu88Cm+TiBI7JRh0jRs3VJRP3N+5GpyjKX7cJA46w8PrH3ovJo3PES7o8CSYKRa3eUs7BnFt7kUCvMqBBqIhTIKlnQd2JkMNnhhCcYdPygLx7E1Vg+H3KybcETsYWBeUVrhRl/RAyYJkn6LddjPuWkDdgIcnKhNvpQu4MMqF3YbzHgyTh7bdWjy1liZle7xR/uRbOrRIRKTxkUinQGEWyW3bbXOvPO71E7xyKywBanwg2FtvzOoRFRVF7V9mLzPSqdvbM7VMQoLFob2UgeNLbVHkWeQtEqQWIV5RMu3+knhoqGYxP/3Srszp0ELRQy/xyyD`,
|
|
expected: `RuiRkvYjH2FcCjNzFPT2PJWh7Q6vUbfMadMIEnw49GvzTmhk4OUFyjY13GL52JVyqdyFrnpgEOtXiTu88Cm+TiBI7JRh0jRs3VJRP3N+5GpyjKX7cJA46w8PrH3ovJo3PES7o8CSYKRa3eUs7BnFt7kUCvMqBBqIhTIKlnQd2JkMNnhhCcYdPygLx7E1Vg+H3KybcETsYWBeUVrhRl/RAyYJkn6LddjPuWkDdgIcnKhNvpQu4MMqF3YbzHgyTh7bdWjy1liZle7xR/uRbOrRIRKTxkUinQGEWyW3bbXOvPO71E7xyKywBanwg2FtvzOoRFRVF7V9mLzPSqdvbM7VMQoLFob2UgeNLbVHkWeQtEqQWIV5RMu3+knhoqGYxP/3Srszp0ELRQy/xyyD`,
|
|
},
|
|
{
|
|
in: `mqBEVbNnL929CUA3sjkOmPB5dL0/a0spq8LgbIsJa22SfP580XduzUIKnCtdeC9TjPB/GEPp/LvEUFaLTUgPDQQGu3H5UCZyjVTAMHl45me/0qISEf903zFFqW5Lk3TS6iPrithqMMvhdK29Eg5OhhcoHS+ALpn0EjzUe86NywuFNb6ID4o8aF/ztZlKJegnpDAm3JuhCBauJ+0gcOB8GNdWd5a06qkokmwk1tgwWat7cQGFIH1NOvBwRMKhD51MJ7V28806a3zkOVwwhOiyyTXR+EcDA/aq5acX0yailLWB82g/2GR/DiaqNtusV+gpcMTNYemEv3c/xLkClJc29DSfTsJGKsmIDMqeBMM7RRBNinNAriY9iNX1UuHZLr/tUrRNrfuNT5CvvK1K`,
|
|
expected: `mqBEVbNnL929CUA3sjkOmPB5dL0/a0spq8LgbIsJa22SfP580XduzUIKnCtdeC9TjPB/GEPp/LvEUFaLTUgPDQQGu3H5UCZyjVTAMHl45me/0qISEf903zFFqW5Lk3TS6iPrithqMMvhdK29Eg5OhhcoHS+ALpn0EjzUe86NywuFNb6ID4o8aF/ztZlKJegnpDAm3JuhCBauJ+0gcOB8GNdWd5a06qkokmwk1tgwWat7cQGFIH1NOvBwRMKhD51MJ7V28806a3zkOVwwhOiyyTXR+EcDA/aq5acX0yailLWB82g/2GR/DiaqNtusV+gpcMTNYemEv3c/xLkClJc29DSfTsJGKsmIDMqeBMM7RRBNinNAriY9iNX1UuHZLr/tUrRNrfuNT5CvvK1K`,
|
|
},
|
|
{
|
|
in: `IMcfbWZ/iCa/LDcvMlk6LEJ0gDe4ohy2Vi0pVBd9aqR5PnRj8zGit8G2rLuNUkDmQ95bMURasmaPw2Xjf6SQjRk8coIHDLtbg/YNQVMabE8pKd6EaFdsGWJkcFoonxhPR29aH0xvjC4Mp3cJX3mjqyVsOp9xdk6d0Y2hzV3W/oPCq0DV03pm7P3+jH2OzoVVIDYgG1FD12S03otJrCXuzDmE2LOQ0xwgBQ9sREBLXwQzUKfXH8ogZzjdR19pX9qe0rRKMNz8k5lqcF9R2z+XIS1QAfeV9xopXA0CeyrhtoOkXV2i8kBxyodDp7tIeOvbEfvaqZGJgaJyV8UMTDi7zjwNeVdyKa8USH7zrXSoCl+Ud5eflI9vxKS+u9Bt1ufBHJtULOCHGA2vimkU`,
|
|
expected: `IMcfbWZ/iCa/LDcvMlk6LEJ0gDe4ohy2Vi0pVBd9aqR5PnRj8zGit8G2rLuNUkDmQ95bMURasmaPw2Xjf6SQjRk8coIHDLtbg/YNQVMabE8pKd6EaFdsGWJkcFoonxhPR29aH0xvjC4Mp3cJX3mjqyVsOp9xdk6d0Y2hzV3W/oPCq0DV03pm7P3+jH2OzoVVIDYgG1FD12S03otJrCXuzDmE2LOQ0xwgBQ9sREBLXwQzUKfXH8ogZzjdR19pX9qe0rRKMNz8k5lqcF9R2z+XIS1QAfeV9xopXA0CeyrhtoOkXV2i8kBxyodDp7tIeOvbEfvaqZGJgaJyV8UMTDi7zjwNeVdyKa8USH7zrXSoCl+Ud5eflI9vxKS+u9Bt1ufBHJtULOCHGA2vimkU`,
|
|
},
|
|
{
|
|
in: `AqC2sr44HVueGzgW13zHvJkqOEBWA8XA66ZEb3EoL1ehypSnJ07cFoWZlO8kf3k57L1fuHFWJ6quEdLXQaT9SJKHlUaYQvanvjbBlqWwaH3hODNsBGoK0DatpoQ+FxcSkdVE/ki3rbEUuJiZzU0BnDxH+Q6FiNsBaJuwau29w24MlD28ELJsjCcUVwtTQkaNtUxIlFKHLj0++T+IVrQH8KZlmVLvDefJ6llWbrFNVuh674HfKr/GEUatG6KI4gWNtGKKRYh76mMl5xH5qDfBZqxyRaKylJaDIYbx5xP5I4DDm4gOnxH+h/Pu6dq6FJ/U3eDio/KQ9xwFqTuyjH0BIRBsvWWgbTNURVBheq+am92YBhkj1QmdKTxQ9fQM55O8DpyWzRhky0NevM9j`,
|
|
expected: `AqC2sr44HVueGzgW13zHvJkqOEBWA8XA66ZEb3EoL1ehypSnJ07cFoWZlO8kf3k57L1fuHFWJ6quEdLXQaT9SJKHlUaYQvanvjbBlqWwaH3hODNsBGoK0DatpoQ+FxcSkdVE/ki3rbEUuJiZzU0BnDxH+Q6FiNsBaJuwau29w24MlD28ELJsjCcUVwtTQkaNtUxIlFKHLj0++T+IVrQH8KZlmVLvDefJ6llWbrFNVuh674HfKr/GEUatG6KI4gWNtGKKRYh76mMl5xH5qDfBZqxyRaKylJaDIYbx5xP5I4DDm4gOnxH+h/Pu6dq6FJ/U3eDio/KQ9xwFqTuyjH0BIRBsvWWgbTNURVBheq+am92YBhkj1QmdKTxQ9fQM55O8DpyWzRhky0NevM9j`,
|
|
},
|
|
{
|
|
in: `qkFfS3WfLyj3QTQT9i/s57uOPQCTN1jrab8bwxaxyeYUlz2tEtYyKGGUufua8WzdBT2VvWTvH0JkK0LfUJ+vChvcnMFna+tEaCKCFMIOWMLYVZSJDcYMIqaIr8d0Bi2bpbVf5z4WNma0pbCKaXpkYgeg1Sb8HpKG0p0fAez7Q/QRASlvyM5vuIOH8/CM4fF5Ga6aWkTRG0lfxiyeZ2vi3q7uNmsZF490J79r/6tnPPXIIC4XGnijwho5NmhZG0XcQeyW5KnT7VmGACFdTHOb9oS5WxZZU29/oZ5Y23rBBoSDX/xZ1LNFiZk6Xfl4ih207jzogv+3nOro93JHQydNeKEwxOtbKqEe7WWJLDw/EzVdJTODrhBYKbjUce10XsavuiTvv+H1Qh4lo2Vx`,
|
|
expected: `qkFfS3WfLyj3QTQT9i/s57uOPQCTN1jrab8bwxaxyeYUlz2tEtYyKGGUufua8WzdBT2VvWTvH0JkK0LfUJ+vChvcnMFna+tEaCKCFMIOWMLYVZSJDcYMIqaIr8d0Bi2bpbVf5z4WNma0pbCKaXpkYgeg1Sb8HpKG0p0fAez7Q/QRASlvyM5vuIOH8/CM4fF5Ga6aWkTRG0lfxiyeZ2vi3q7uNmsZF490J79r/6tnPPXIIC4XGnijwho5NmhZG0XcQeyW5KnT7VmGACFdTHOb9oS5WxZZU29/oZ5Y23rBBoSDX/xZ1LNFiZk6Xfl4ih207jzogv+3nOro93JHQydNeKEwxOtbKqEe7WWJLDw/EzVdJTODrhBYKbjUce10XsavuiTvv+H1Qh4lo2Vx`,
|
|
},
|
|
{
|
|
in: `O900/Gn82AjyLYqiWZ4ILXBBv/ZaXpTpQL0p9nv7gwF2MWsS2OWEImcVDa+1ElrjUumG6CVEv/rvax53krqJJDg+4Z/XcHxv58w6hNrXiWqFNjxlu5RZHvj1oQQXnS2n8qw8e/c+8ea2TiDIVr4OmgZz1G9uSPBeOZJvySqdgNPMpgfjZwkL2ez9/x31sLuQxi/FW3DFXU6kGSUjaq8g/iGXlaaAcQ0t9Gy+y005Z9wpr2JWWzishL+1JZp9D4SY/r3NHDphN4MNdLHMNBRPSIgfsaSqfLraIt+zWIycsd+nksVxtPv9wcyXy51E1qlHr6Uygz2VZYD9q9zyxEX4wRP2VEewHYUomL9d1F6gGG5fN3z82bQ4hI9uDirWhneWazUOQBRud5otPOm9`,
|
|
expected: `O900/Gn82AjyLYqiWZ4ILXBBv/ZaXpTpQL0p9nv7gwF2MWsS2OWEImcVDa+1ElrjUumG6CVEv/rvax53krqJJDg+4Z/XcHxv58w6hNrXiWqFNjxlu5RZHvj1oQQXnS2n8qw8e/c+8ea2TiDIVr4OmgZz1G9uSPBeOZJvySqdgNPMpgfjZwkL2ez9/x31sLuQxi/FW3DFXU6kGSUjaq8g/iGXlaaAcQ0t9Gy+y005Z9wpr2JWWzishL+1JZp9D4SY/r3NHDphN4MNdLHMNBRPSIgfsaSqfLraIt+zWIycsd+nksVxtPv9wcyXy51E1qlHr6Uygz2VZYD9q9zyxEX4wRP2VEewHYUomL9d1F6gGG5fN3z82bQ4hI9uDirWhneWazUOQBRud5otPOm9`,
|
|
},
|
|
{
|
|
in: `C3c+d5Q9lyTafPLdelG1TKaLFinw1TOjyI6KkrQyHKkttfnO58WFvScl1TiRcB/iHxKahskoE2+VRLUIhctuDU4sUvQh/g9Arw0LAA4QTxuLFt01XYdigurz4FT15ox2oDGGGrRb3VGjDTXK1OWVJoLMW95EVqyMc9F+Fdej85LHE+8WesIfacjUQtTG1tzYVQTfubZq0+qxXws8QrxMLFtVE38tbeXo+Ok1/U5TUa6FjWflEfvKY3XVcl8RKkXua7fVz/Blj8Gh+dWe2cOxa0lpM75ZHyz9adQrB2Pb4571E4u2xI5un0R0MFJZBQuPDc1G5rPhyk+Hb4LRG3dS0m8IASQUOskv93z978L1+Abu9CLP6d6s5p+BzWxhMUqwQXC/CCpTywrkJ0RG`,
|
|
expected: `C3c+d5Q9lyTafPLdelG1TKaLFinw1TOjyI6KkrQyHKkttfnO58WFvScl1TiRcB/iHxKahskoE2+VRLUIhctuDU4sUvQh/g9Arw0LAA4QTxuLFt01XYdigurz4FT15ox2oDGGGrRb3VGjDTXK1OWVJoLMW95EVqyMc9F+Fdej85LHE+8WesIfacjUQtTG1tzYVQTfubZq0+qxXws8QrxMLFtVE38tbeXo+Ok1/U5TUa6FjWflEfvKY3XVcl8RKkXua7fVz/Blj8Gh+dWe2cOxa0lpM75ZHyz9adQrB2Pb4571E4u2xI5un0R0MFJZBQuPDc1G5rPhyk+Hb4LRG3dS0m8IASQUOskv93z978L1+Abu9CLP6d6s5p+BzWxhMUqwQXC/CCpTywrkJ0RG`,
|
|
},
|
|
// Basic XSS
|
|
{
|
|
in: `test<script>alert(document.cookie)</script>`,
|
|
expected: `test`,
|
|
},
|
|
{
|
|
in: `<<<><<script src=http://fake-evil.ru/test.js>`,
|
|
expected: `<<<><`,
|
|
},
|
|
{
|
|
in: `<script<script src=http://fake-evil.ru/test.js>>`,
|
|
expected: `>`,
|
|
},
|
|
{
|
|
in: `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BODY ONLOAD=alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<iframe src=http://ha.ckers.org/scriptlet.html <`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"">`,
|
|
expected: `<input type="IMAGE">`,
|
|
},
|
|
{
|
|
in: `<a onblur="alert(secret)" href="http://www.google.com">Google</a>`,
|
|
expected: `<a href="http://www.google.com">Google</a>`,
|
|
},
|
|
// IMG attacks
|
|
{
|
|
in: `<img src="http://www.myspace.com/img.gif"/>`,
|
|
expected: `<img src="http://www.myspace.com/img.gif"/>`,
|
|
},
|
|
{
|
|
in: `<img src=javascript:alert(document.cookie)>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC='javascript:alert('XSS')'>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="jav
ascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="javascript:alert('XSS')"`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG LOWSRC="javascript:alert('XSS')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BGSOUND SRC="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
// HREF attacks
|
|
{
|
|
in: `<LINK REL="stylesheet" HREF="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS`,
|
|
expected: `<ul><li>XSS`,
|
|
},
|
|
{
|
|
in: `<IMG SRC='vbscript:msgbox("XSS")'>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<TABLE BACKGROUND="javascript:alert('XSS')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<TABLE><TD BACKGROUND="javascript:alert('XSS')">`,
|
|
expected: `<td>`,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="width: expression(alert('XSS'));">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>@im\\port'\\ja\\vasc\\ript:alert("XSS")';</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BASE HREF="javascript:alert('XSS');//">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BaSe hReF="http://arbitrary.com/">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: "<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: `PT SRC="http://ha.ckers.org/xss.js">`,
|
|
},
|
|
{
|
|
in: `<SCRIPT SRC=http://ha.ckers.org/xss.js`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&>`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->`,
|
|
expected: `test-->`,
|
|
},
|
|
{
|
|
in: `<a></a style="xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">`,
|
|
expected: ``,
|
|
},
|
|
// CSS attacks
|
|
{
|
|
in: `<div style="position:absolute">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<style>b { position:absolute }</style>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<div style="z-index:25">test</div>`,
|
|
expected: `<div>test</div>`,
|
|
},
|
|
{
|
|
in: `<style>z-index:25</style>`,
|
|
expected: ``,
|
|
},
|
|
// Strings that cause issues for tokenizers
|
|
{
|
|
in: `<a - href="http://www.test.com">`,
|
|
expected: `<a href="http://www.test.com">`,
|
|
},
|
|
// Comments
|
|
{
|
|
in: `text <!-- comment -->`,
|
|
expected: `text `,
|
|
},
|
|
{
|
|
in: `<div>text <!-- comment --></div>`,
|
|
expected: `<div>text </div>`,
|
|
},
|
|
{
|
|
in: `<div>text <!--[if IE]> comment <[endif]--></div>`,
|
|
expected: `<div>text </div>`,
|
|
},
|
|
{
|
|
in: `<div>text <!--[if IE]> <!--[if gte 6]> comment <[endif]--><[endif]--></div>`,
|
|
expected: `<div>text <[endif]--></div>`,
|
|
},
|
|
{
|
|
in: `<div>text <!--[if IE]> <!-- IE specific --> comment <[endif]--></div>`,
|
|
expected: `<div>text comment <[endif]--></div>`,
|
|
},
|
|
{
|
|
in: `<div>text <!-- [ if lte 6 ]>\ncomment <[ endif\n]--></div>`,
|
|
expected: `<div>text </div>`,
|
|
},
|
|
{
|
|
in: `<div>text <![if !IE]> comment <![endif]></div>`,
|
|
expected: `<div>text comment </div>`,
|
|
},
|
|
{
|
|
in: `<div>text <![ if !IE]> comment <![endif]></div>`,
|
|
expected: `<div>text comment </div>`,
|
|
},
|
|
}
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestXSS(t *testing.T) {
|
|
|
|
p := UGCPolicy()
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>`,
|
|
expected: `XSS`,
|
|
},
|
|
{
|
|
in: `<A HREF="h
|
|
tt p://6 6.000146.0x7.147/">XSS</A>`,
|
|
expected: `XSS`,
|
|
},
|
|
{
|
|
in: `<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: `PT SRC="http://ha.ckers.org/xss.js">`,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: "<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>",
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS')`,
|
|
expected: ` +ADw-SCRIPT+AD4-alert('XSS')`,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<? echo('<SCR)';
|
|
echo('IPT>alert("XSS")</SCRIPT>'); ?>`,
|
|
expected: `alert("XSS")'); ?>`,
|
|
},
|
|
{
|
|
in: `<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<HTML><BODY>
|
|
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
|
|
<?import namespace="t" implementation="#default#time2">
|
|
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
|
|
</BODY></HTML>`,
|
|
expected: "\n\n\n">\n",
|
|
},
|
|
{
|
|
in: `<XML SRC="xsstest.xml" ID=I></XML>
|
|
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>`,
|
|
expected: `
|
|
<span></span>`,
|
|
},
|
|
{
|
|
in: `<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
|
|
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>`,
|
|
expected: `<i><b></b></i>
|
|
<span></span>`,
|
|
},
|
|
{
|
|
in: `<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BASE HREF="javascript:alert('XSS');//">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="width: expression(alert('XSS'));">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<DIV STYLE="background-image: url(javascript:alert('XSS'))">`,
|
|
expected: `<div>`,
|
|
},
|
|
{
|
|
in: `<TABLE><TD BACKGROUND="javascript:alert('XSS')">`,
|
|
expected: `<table><td>`,
|
|
},
|
|
{
|
|
in: `<TABLE BACKGROUND="javascript:alert('XSS')">`,
|
|
expected: `<table>`,
|
|
},
|
|
{
|
|
in: `<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IFRAME SRC="javascript:alert('XSS');"></IFRAME>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<XSS STYLE="behavior: url(xss.htc);">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<XSS STYLE="xss:expression(alert('XSS'))">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE TYPE="text/javascript">alert('XSS');</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<LINK REL="stylesheet" HREF="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BR SIZE="&{alert('XSS')}">`,
|
|
expected: `<br>`,
|
|
},
|
|
{
|
|
in: `<BGSOUND SRC="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BODY ONLOAD=alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>`,
|
|
expected: `<ul><li>XSS</br>`,
|
|
},
|
|
{
|
|
in: `<IMG LOWSRC="javascript:alert('XSS')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG DYNSRC="javascript:alert('XSS')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<BODY BACKGROUND="javascript:alert('XSS')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `</TITLE><SCRIPT>alert("XSS");</SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `\";alert('XSS');//`,
|
|
expected: `\";alert('XSS');//`,
|
|
},
|
|
{
|
|
in: `<iframe src=http://ha.ckers.org/scriptlet.html <`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<<SCRIPT>alert("XSS");//<</SCRIPT>`,
|
|
expected: `<`,
|
|
},
|
|
{
|
|
in: "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="  javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="jav
ascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="jav	ascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="jav ascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:a&
|
|
#0000108ert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert(
|
|
'XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>`,
|
|
expected: `<img src="/"></img>`,
|
|
},
|
|
{
|
|
in: `<IMG onmouseover="alert('xxs')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC= onmouseover="alert('xxs')">`,
|
|
expected: `<img src="onmouseover=%22alert%28%27xxs%27%29%22">`,
|
|
},
|
|
{
|
|
in: `<IMG SRC=# onmouseover="alert('xxs')">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
|
|
expected: `">`,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert("XSS")>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=JaVaScRiPt:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC=javascript:alert('XSS')>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<IMG SRC="javascript:alert('XSS');">`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>`,
|
|
expected: ``,
|
|
},
|
|
{
|
|
in: `'';!--"<XSS>=&{()}`,
|
|
expected: `'';!--"=&{()}`,
|
|
},
|
|
{
|
|
in: `';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`,
|
|
expected: `';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>`,
|
|
},
|
|
}
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestIssue3(t *testing.T) {
|
|
// https://github.com/microcosm-cc/bluemonday/issues/3
|
|
|
|
p := UGCPolicy()
|
|
p.AllowStyling()
|
|
|
|
tests := []test{
|
|
{
|
|
in: `Hello <span class="foo bar bash">there</span> world.`,
|
|
expected: `Hello <span class="foo bar bash">there</span> world.`,
|
|
},
|
|
{
|
|
in: `Hello <span class="javascript:alert(123)">there</span> world.`,
|
|
expected: `Hello <span>there</span> world.`,
|
|
},
|
|
{
|
|
in: `Hello <span class="><script src="http://hackers.org/XSS.js"></script>">there</span> world.`,
|
|
expected: `Hello <span>">there</span> world.`,
|
|
},
|
|
{
|
|
in: `Hello <span class="><script src='http://hackers.org/XSS.js'></script>">there</span> world.`,
|
|
expected: `Hello <span>there</span> world.`,
|
|
},
|
|
}
|
|
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestIssue9(t *testing.T) {
|
|
|
|
p := UGCPolicy()
|
|
p.AllowAttrs("class").Matching(SpaceSeparatedTokens).OnElements("div", "span")
|
|
p.AllowAttrs("class", "name").Matching(SpaceSeparatedTokens).OnElements("a")
|
|
p.AllowAttrs("rel").Matching(regexp.MustCompile(`^nofollow$`)).OnElements("a")
|
|
p.AllowAttrs("aria-hidden").Matching(regexp.MustCompile(`^true$`)).OnElements("a")
|
|
p.AllowDataURIImages()
|
|
|
|
tt := test{
|
|
in: `<h2><a name="git-diff" class="anchor" href="#git-diff" rel="nofollow" aria-hidden="true"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
expected: `<h2><a name="git-diff" class="anchor" href="#git-diff" rel="nofollow" aria-hidden="true"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
}
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
|
|
tt = test{
|
|
in: `<h2><a name="git-diff" class="anchor" href="#git-diff" aria-hidden="true"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
expected: `<h2><a name="git-diff" class="anchor" href="#git-diff" aria-hidden="true" rel="nofollow"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
}
|
|
out = p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
|
|
p.AddTargetBlankToFullyQualifiedLinks(true)
|
|
|
|
tt = test{
|
|
in: `<h2><a name="git-diff" class="anchor" href="#git-diff" aria-hidden="true"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
expected: `<h2><a name="git-diff" class="anchor" href="#git-diff" aria-hidden="true" rel="nofollow"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
}
|
|
out = p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
|
|
tt = test{
|
|
in: `<h2><a name="git-diff" class="anchor" href="https://github.com/shurcooL/github_flavored_markdown/blob/master/sanitize_test.go" aria-hidden="true"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
expected: `<h2><a name="git-diff" class="anchor" href="https://github.com/shurcooL/github_flavored_markdown/blob/master/sanitize_test.go" aria-hidden="true" rel="nofollow noopener" target="_blank"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
}
|
|
out = p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
|
|
tt = test{
|
|
in: `<h2><a name="git-diff" class="anchor" href="https://github.com/shurcooL/github_flavored_markdown/blob/master/sanitize_test.go" aria-hidden="true" target="namedwindow"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
expected: `<h2><a name="git-diff" class="anchor" href="https://github.com/shurcooL/github_flavored_markdown/blob/master/sanitize_test.go" aria-hidden="true" rel="nofollow noopener" target="_blank"><span class="octicon octicon-link"></span></a>git diff</h2>`,
|
|
}
|
|
out = p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
}
|
|
|
|
func TestIssue18(t *testing.T) {
|
|
p := UGCPolicy()
|
|
|
|
p.AllowAttrs("color").OnElements("font")
|
|
p.AllowElements("font")
|
|
|
|
tt := test{
|
|
in: `<font face="Arial">No link here. <a href="http://link.com">link here</a>.</font> Should not be linked here.`,
|
|
expected: `No link here. <a href="http://link.com" rel="nofollow">link here</a>. Should not be linked here.`,
|
|
}
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
tt.in,
|
|
out,
|
|
tt.expected)
|
|
}
|
|
}
|
|
|
|
func TestIssue23(t *testing.T) {
|
|
p := NewPolicy()
|
|
p.SkipElementsContent("tag1", "tag2")
|
|
input := `<tag1>cut<tag2></tag2>harm</tag1><tag1>123</tag1><tag2>234</tag2>`
|
|
out := p.Sanitize(input)
|
|
expected := ""
|
|
if out != expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
out,
|
|
expected)
|
|
}
|
|
|
|
p = NewPolicy()
|
|
p.SkipElementsContent("tag")
|
|
p.AllowElements("p")
|
|
input = `<tag>234<p>asd</p></tag>`
|
|
out = p.Sanitize(input)
|
|
expected = ""
|
|
if out != expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
out,
|
|
expected)
|
|
}
|
|
|
|
p = NewPolicy()
|
|
p.SkipElementsContent("tag")
|
|
p.AllowElements("p", "br")
|
|
input = `<tag>234<p>as<br/>d</p></tag>`
|
|
out = p.Sanitize(input)
|
|
expected = ""
|
|
if out != expected {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
out,
|
|
expected)
|
|
}
|
|
}
|
|
|
|
func TestAllowNoAttrs(t *testing.T) {
|
|
input := "<tag>test</tag>"
|
|
outputFail := "test"
|
|
outputOk := input
|
|
|
|
p := NewPolicy()
|
|
p.AllowElements("tag")
|
|
|
|
if output := p.Sanitize(input); output != outputFail {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
output,
|
|
outputFail,
|
|
)
|
|
}
|
|
|
|
p.AllowNoAttrs().OnElements("tag")
|
|
|
|
if output := p.Sanitize(input); output != outputOk {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
output,
|
|
outputOk,
|
|
)
|
|
}
|
|
}
|
|
|
|
func TestSkipElementsContent(t *testing.T) {
|
|
input := "<tag>test</tag>"
|
|
outputFail := "test"
|
|
outputOk := ""
|
|
|
|
p := NewPolicy()
|
|
|
|
if output := p.Sanitize(input); output != outputFail {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
output,
|
|
outputFail,
|
|
)
|
|
}
|
|
|
|
p.SkipElementsContent("tag")
|
|
|
|
if output := p.Sanitize(input); output != outputOk {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
output,
|
|
outputOk,
|
|
)
|
|
}
|
|
}
|
|
|
|
func TestTagSkipClosingTagNested(t *testing.T) {
|
|
input := "<tag1><tag2><tag3>text</tag3></tag2></tag1>"
|
|
outputOk := "<tag2>text</tag2>"
|
|
|
|
p := NewPolicy()
|
|
p.AllowElements("tag1", "tag3")
|
|
p.AllowNoAttrs().OnElements("tag2")
|
|
|
|
if output := p.Sanitize(input); output != outputOk {
|
|
t.Errorf(
|
|
"test failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
input,
|
|
output,
|
|
outputOk,
|
|
)
|
|
}
|
|
}
|
|
|
|
func TestAddSpaces(t *testing.T) {
|
|
p := UGCPolicy()
|
|
p.AddSpaceWhenStrippingTag(true)
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<foo>Hello</foo><bar>World</bar>`,
|
|
expected: ` Hello World `,
|
|
},
|
|
{
|
|
in: `<p>Hello</p><bar>World</bar>`,
|
|
expected: `<p>Hello</p> World `,
|
|
},
|
|
{
|
|
in: `<p>Hello</p><foo /><p>World</p>`,
|
|
expected: `<p>Hello</p> <p>World</p>`,
|
|
},
|
|
}
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|
|
|
|
func TestTargetBlankNoOpener(t *testing.T) {
|
|
p := UGCPolicy()
|
|
p.AddTargetBlankToFullyQualifiedLinks(true)
|
|
p.AllowAttrs("target").Matching(Paragraph).OnElements("a")
|
|
|
|
tests := []test{
|
|
{
|
|
in: `<a href="/path" />`,
|
|
expected: `<a href="/path" rel="nofollow"/>`,
|
|
},
|
|
{
|
|
in: `<a href="/path" target="_blank" />`,
|
|
expected: `<a href="/path" target="_blank" rel="nofollow noopener"/>`,
|
|
},
|
|
{
|
|
in: `<a href="/path" target="foo" />`,
|
|
expected: `<a href="/path" target="foo" rel="nofollow"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" />`,
|
|
expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" target="_blank"/>`,
|
|
expected: `<a href="https://www.google.com/" target="_blank" rel="nofollow noopener"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" rel="nofollow"/>`,
|
|
expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" rel="noopener"/>`,
|
|
expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" rel="noopener nofollow" />`,
|
|
expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`,
|
|
},
|
|
{
|
|
in: `<a href="https://www.google.com/" target="foo" />`,
|
|
expected: `<a href="https://www.google.com/" target="_blank" rel="nofollow noopener"/>`,
|
|
},
|
|
}
|
|
|
|
// These tests are run concurrently to enable the race detector to pick up
|
|
// potential issues
|
|
wg := sync.WaitGroup{}
|
|
wg.Add(len(tests))
|
|
for ii, tt := range tests {
|
|
go func(ii int, tt test) {
|
|
out := p.Sanitize(tt.in)
|
|
if out != tt.expected {
|
|
t.Errorf(
|
|
"test %d failed;\ninput : %s\noutput : %s\nexpected: %s",
|
|
ii,
|
|
tt.in,
|
|
out,
|
|
tt.expected,
|
|
)
|
|
}
|
|
wg.Done()
|
|
}(ii, tt)
|
|
}
|
|
wg.Wait()
|
|
}
|