1package blackfriday
  2
  3import (
  4	"testing"
  5)
  6
  7func doTestsSanitize(t *testing.T, tests []string) {
  8	doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
  9}
 10
 11func TestSanitizeRawHtmlTag(t *testing.T) {
 12	tests := []string{
 13		"zz <style>p {}</style>\n",
 14		"<p>zz &lt;style&gt;p {}&lt;/style&gt;</p>\n",
 15
 16		"zz <STYLE>p {}</STYLE>\n",
 17		"<p>zz &lt;style&gt;p {}&lt;/style&gt;</p>\n",
 18
 19		"<SCRIPT>alert()</SCRIPT>\n",
 20		"<p>&lt;script&gt;alert()&lt;/script&gt;</p>\n",
 21
 22		"zz <SCRIPT>alert()</SCRIPT>\n",
 23		"<p>zz &lt;script&gt;alert()&lt;/script&gt;</p>\n",
 24
 25		"zz <script>alert()</script>\n",
 26		"<p>zz &lt;script&gt;alert()&lt;/script&gt;</p>\n",
 27
 28		" <script>alert()</script>\n",
 29		"<p>&lt;script&gt;alert()&lt;/script&gt;</p>\n",
 30
 31		"<script>alert()</script>\n",
 32		"&lt;script&gt;alert()&lt;/script&gt;\n",
 33
 34		"<script src='foo'></script>\n",
 35		"&lt;script src=&#39;foo&#39;&gt;&lt;/script&gt;\n",
 36
 37		"<script src='a>b'></script>\n",
 38		"&lt;script src=&#39;a&gt;b&#39;&gt;&lt;/script&gt;\n",
 39
 40		"zz <script src='foo'></script>\n",
 41		"<p>zz &lt;script src=&#39;foo&#39;&gt;&lt;/script&gt;</p>\n",
 42
 43		"zz <script src=foo></script>\n",
 44		"<p>zz &lt;script src=foo&gt;&lt;/script&gt;</p>\n",
 45
 46		`<script><script src="http://example.com/exploit.js"></SCRIPT></script>`,
 47		"&lt;script&gt;&lt;script src=&#34;http://example.com/exploit.js&#34;&gt;&lt;/script&gt;&lt;/script&gt;\n",
 48
 49		`'';!--"<XSS>=&{()}`,
 50		"<p>&#39;&#39;;!--&#34;&lt;xss&gt;=&amp;{()}</p>\n",
 51
 52		"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>",
 53		"<p>&lt;script SRC=http://ha.ckers.org/xss.js&gt;&lt;/script&gt;</p>\n",
 54
 55		"<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>",
 56		"<p>&lt;script \nSRC=http://ha.ckers.org/xss.js&gt;&lt;/script&gt;</p>\n",
 57
 58		`<IMG SRC="javascript:alert('XSS');">`,
 59		"<p><img></p>\n",
 60
 61		"<IMG SRC=javascript:alert('XSS')>",
 62		"<p><img></p>\n",
 63
 64		"<IMG SRC=JaVaScRiPt:alert('XSS')>",
 65		"<p><img></p>\n",
 66
 67		"<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>",
 68		"<p><img></p>\n",
 69
 70		`<a onmouseover="alert(document.cookie)">xss link</a>`,
 71		"<p><a>xss link</a></p>\n",
 72
 73		"<a onmouseover=alert(document.cookie)>xss link</a>",
 74		"<p><a>xss link</a></p>\n",
 75
 76		`<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
 77		"<p><img>&lt;script&gt;alert(&#34;XSS&#34;)&lt;/script&gt;&#34;&gt;</p>\n",
 78
 79		"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
 80		"<p><img></p>\n",
 81
 82		`<IMG SRC=# onmouseover="alert('xxs')">`,
 83		"<p><img></p>\n",
 84
 85		`<IMG SRC= onmouseover="alert('xxs')">`,
 86		"<p><img></p>\n",
 87
 88		`<IMG onmouseover="alert('xxs')">`,
 89		"<p><img></p>\n",
 90
 91		"<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>",
 92		"<p><img></p>\n",
 93
 94		"<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>",
 95		"<p><img></p>\n",
 96
 97		"<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>",
 98		"<p><img></p>\n",
 99
100		`<IMG SRC="javascriptascript:alert('XSS');">`,
101		"<p><img></p>\n",
102
103		`<IMG SRC="jav&#x09;ascript:alert('XSS');">`,
104		"<p><img></p>\n",
105
106		`<IMG SRC="jav&#x0A;ascript:alert('XSS');">`,
107		"<p><img></p>\n",
108
109		`<IMG SRC="jav&#x0D;ascript:alert('XSS');">`,
110		"<p><img></p>\n",
111
112		`<IMG SRC=" &#14;  javascript:alert('XSS');">`,
113		"<p><img></p>\n",
114
115		`<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
116		"<p>&lt;script/XSS SRC=&#34;http://ha.ckers.org/xss.js&#34;&gt;&lt;/script&gt;</p>\n",
117
118		"<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
119		"<p>&lt;body onload!#$%&amp;()*~+-_.,:;?@[/|\\]^`=alert(&#34;XSS&#34;)&gt;</p>\n",
120
121		`<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
122		"<p>&lt;script/SRC=&#34;http://ha.ckers.org/xss.js&#34;&gt;&lt;/script&gt;</p>\n",
123
124		`<<SCRIPT>alert("XSS");//<</SCRIPT>`,
125		"<p>&lt;&lt;script&gt;alert(&#34;XSS&#34;);//&lt;&lt;/script&gt;</p>\n",
126
127		"<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
128		"<p>&lt;script SRC=http://ha.ckers.org/xss.js?&lt; B &gt;</p>\n",
129
130		"<SCRIPT SRC=//ha.ckers.org/.j>",
131		"<p>&lt;script SRC=//ha.ckers.org/.j&gt;</p>\n",
132
133		`<IMG SRC="javascript:alert('XSS')"`,
134		"<p>&lt;IMG SRC=&#34;javascript:alert(&#39;XSS&#39;)&#34;</p>\n",
135
136		"<iframe src=http://ha.ckers.org/scriptlet.html <",
137		// The hyperlink gets linkified, the <iframe> gets escaped
138		"<p>&lt;iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> &lt;</p>\n",
139
140		// Additonal token types: SelfClosing, Comment, DocType.
141		"<br/>",
142		"<p><br/></p>\n",
143
144		"<!-- Comment -->",
145		"<!-- Comment -->\n",
146
147		"<!DOCTYPE test>",
148		"<p>&lt;!DOCTYPE test&gt;</p>\n",
149	}
150	doTestsSanitize(t, tests)
151}
152
153func TestSanitizeQuoteEscaping(t *testing.T) {
154	tests := []string{
155		// Make sure quotes are transported correctly (different entities or
156		// unicode, but correct semantics)
157		"<p>Here are some &quot;quotes&quot;.</p>\n",
158		"<p>Here are some &#34;quotes&#34;.</p>\n",
159
160		"<p>Here are some &ldquo;quotes&rdquo;.</p>\n",
161		"<p>Here are some \u201Cquotes\u201D.</p>\n",
162
163		// Within a <script> tag, content gets parsed by the raw text parsing rules.
164		// This test makes sure we correctly disable those parsing rules and do not
165		// escape e.g. the closing </p>.
166		`Here are <script> some "quotes".`,
167		"<p>Here are &lt;script&gt; some &#34;quotes&#34;.</p>\n",
168
169		// Same test for an unknown element that does not switch into raw mode.
170		`Here are <eviltag> some "quotes".`,
171		"<p>Here are &lt;eviltag&gt; some &#34;quotes&#34;.</p>\n",
172	}
173	doTestsSanitize(t, tests)
174}
175
176func TestSanitizeSelfClosingTag(t *testing.T) {
177	tests := []string{
178		"<hr>\n",
179		"<hr>\n",
180
181		"<hr/>\n",
182		"<hr/>\n",
183
184		// Make sure that evil attributes are stripped for self closing tags.
185		"<hr onclick=\"evil()\"/>\n",
186		"<hr/>\n",
187	}
188	doTestsSanitize(t, tests)
189}
190
191func TestSanitizeInlineLink(t *testing.T) {
192	tests := []string{
193		"[link](javascript:evil)",
194		"<p><a>link</a></p>\n",
195	}
196	doTestsSanitize(t, tests)
197}