diff options
| author | kaniini <nenolod@gmail.com> | 2019-04-23 23:07:56 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2019-04-23 23:07:56 +0000 |
| commit | 030a7876b42a0c925fd52474de514ae5e9171e55 (patch) | |
| tree | 6a66d89ea23d49ccac40add027edffa08fdc165c /test | |
| parent | 3789945784a331790d73f69b407751df9f7d6e8f (diff) | |
| parent | f5535e5743f755c66dcf92a8d4d2c06520cb72c8 (diff) | |
| download | pleroma-030a7876b42a0c925fd52474de514ae5e9171e55.tar.gz pleroma-030a7876b42a0c925fd52474de514ae5e9171e55.zip | |
Merge branch 'security/fix-html-class-scrubbing' into 'develop'
html: lock down allowed class attributes to only those related to microformats
See merge request pleroma/pleroma!1090
Diffstat (limited to 'test')
| -rw-r--r-- | test/html_test.exs | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/test/html_test.exs b/test/html_test.exs index 0b5d3d892..08738276e 100644 --- a/test/html_test.exs +++ b/test/html_test.exs @@ -20,6 +20,18 @@ defmodule Pleroma.HTMLTest do <img src="http://example.com/image.jpg" onerror="alert('hacked')"> """ + @html_span_class_sample """ + <span class="animate-spin">hi</span> + """ + + @html_span_microformats_sample """ + <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> + """ + + @html_span_invalid_microformats_sample """ + <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span> + """ + describe "StripTags scrubber" do test "works as expected" do expected = """ @@ -64,6 +76,36 @@ defmodule Pleroma.HTMLTest do assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText) end + + test "does not allow spans with invalid classes" do + expected = """ + <span>hi</span> + """ + + assert expected == + HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText) + end + + test "does allow microformats" do + expected = """ + <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> + """ + + assert expected == + HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText) + end + + test "filters invalid microformats markup" do + expected = """ + <span class="h-card"><a>@<span>foo</span></a></span> + """ + + assert expected == + HTML.filter_tags( + @html_span_invalid_microformats_sample, + Pleroma.HTML.Scrubber.TwitterText + ) + end end describe "default scrubber" do @@ -88,5 +130,34 @@ defmodule Pleroma.HTMLTest do assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default) end + + test "does not allow spans with invalid classes" do + expected = """ + <span>hi</span> + """ + + assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default) + end + + test "does allow microformats" do + expected = """ + <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> + """ + + assert expected == + HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default) + end + + test "filters invalid microformats markup" do + expected = """ + <span class="h-card"><a>@<span>foo</span></a></span> + """ + + assert expected == + HTML.filter_tags( + @html_span_invalid_microformats_sample, + Pleroma.HTML.Scrubber.Default + ) + end end end |