sanitize_test.go (view raw)
1package blackfriday
2
3import (
4 "testing"
5)
6
7func doTestsSanitize(t *testing.T, tests []string) {
8 doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT, HtmlRendererParameters{})
9}
10
11func TestSanitizeRawHtmlTag(t *testing.T) {
12 tests := []string{
13 "zz <style>p {}</style>\n",
14 "<p>zz <style>p {}</style></p>\n",
15
16 "zz <STYLE>p {}</STYLE>\n",
17 "<p>zz <style>p {}</style></p>\n",
18
19 "<SCRIPT>alert()</SCRIPT>\n",
20 "<p><script>alert()</script></p>\n",
21
22 "zz <SCRIPT>alert()</SCRIPT>\n",
23 "<p>zz <script>alert()</script></p>\n",
24
25 "zz <script>alert()</script>\n",
26 "<p>zz <script>alert()</script></p>\n",
27
28 " <script>alert()</script>\n",
29 "<p><script>alert()</script></p>\n",
30
31 "<script>alert()</script>\n",
32 "<script>alert()</script>\n",
33
34 "<script src='foo'></script>\n",
35 "<script src='foo'></script>\n",
36
37 "<script src='a>b'></script>\n",
38 "<script src='a>b'></script>\n",
39
40 "zz <script src='foo'></script>\n",
41 "<p>zz <script src='foo'></script></p>\n",
42
43 "zz <script src=foo></script>\n",
44 "<p>zz <script src=foo></script></p>\n",
45
46 `<script><script src="http://example.com/exploit.js"></SCRIPT></script>`,
47 "<script><script src="http://example.com/exploit.js"></script></script>\n",
48
49 `'';!--"<XSS>=&{()}`,
50 "<p>'';!--"<xss>=&{()}</p>\n",
51
52 "<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>",
53 "<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n",
54
55 "<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>",
56 "<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n",
57
58 `<IMG SRC="javascript:alert('XSS');">`,
59 "<p><img></p>\n",
60
61 "<IMG SRC=javascript:alert('XSS')>",
62 "<p><img></p>\n",
63
64 "<IMG SRC=JaVaScRiPt:alert('XSS')>",
65 "<p><img></p>\n",
66
67 "<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>",
68 "<p><img></p>\n",
69
70 `<a onmouseover="alert(document.cookie)">xss link</a>`,
71 "<p><a>xss link</a></p>\n",
72
73 "<a onmouseover=alert(document.cookie)>xss link</a>",
74 "<p><a>xss link</a></p>\n",
75
76 `<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`,
77 "<p><img><script>alert("XSS")</script>"></p>\n",
78
79 "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
80 "<p><img></p>\n",
81
82 `<IMG SRC=# onmouseover="alert('xxs')">`,
83 "<p><img src=\"#\"></p>\n",
84
85 `<IMG SRC= onmouseover="alert('xxs')">`,
86 "<p><img></p>\n",
87
88 `<IMG onmouseover="alert('xxs')">`,
89 "<p><img></p>\n",
90
91 "<IMG SRC=javascript:alert('XSS')>",
92 "<p><img></p>\n",
93
94 "<IMG SRC=javascript:alert('XSS')>",
95 "<p><img></p>\n",
96
97 "<IMG SRC=javascript:alert('XSS')>",
98 "<p><img></p>\n",
99
100 `<IMG SRC="javascriptascript:alert('XSS');">`,
101 "<p><img></p>\n",
102
103 `<IMG SRC="jav	ascript:alert('XSS');">`,
104 "<p><img></p>\n",
105
106 `<IMG SRC="jav
ascript:alert('XSS');">`,
107 "<p><img></p>\n",
108
109 `<IMG SRC="jav
ascript:alert('XSS');">`,
110 "<p><img></p>\n",
111
112 `<IMG SRC="  javascript:alert('XSS');">`,
113 "<p><img></p>\n",
114
115 `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
116 "<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n",
117
118 "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>",
119 "<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n",
120
121 `<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`,
122 "<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n",
123
124 `<<SCRIPT>alert("XSS");//<</SCRIPT>`,
125 "<p><<script>alert("XSS");//<</script></p>\n",
126
127 "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >",
128 "<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n",
129
130 "<SCRIPT SRC=//ha.ckers.org/.j>",
131 "<p><script SRC=//ha.ckers.org/.j></p>\n",
132
133 `<IMG SRC="javascript:alert('XSS')"`,
134 "<p><IMG SRC="javascript:alert('XSS')"</p>\n",
135
136 "<iframe src=http://ha.ckers.org/scriptlet.html <",
137 // The hyperlink gets linkified, the <iframe> gets escaped
138 "<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n",
139
140 // Additonal token types: SelfClosing, Comment, DocType.
141 "<br/>",
142 "<p><br/></p>\n",
143
144 "<!-- Comment -->",
145 "<!-- Comment -->\n",
146
147 "<!DOCTYPE test>",
148 "<p><!DOCTYPE test></p>\n",
149 }
150 doTestsSanitize(t, tests)
151}
152
153func TestSanitizeQuoteEscaping(t *testing.T) {
154 tests := []string{
155 // Make sure quotes are transported correctly (different entities or
156 // unicode, but correct semantics)
157 "<p>Here are some "quotes".</p>\n",
158 "<p>Here are some "quotes".</p>\n",
159
160 "<p>Here are some “quotes”.</p>\n",
161 "<p>Here are some \u201Cquotes\u201D.</p>\n",
162
163 // Within a <script> tag, content gets parsed by the raw text parsing rules.
164 // This test makes sure we correctly disable those parsing rules and do not
165 // escape e.g. the closing </p>.
166 `Here are <script> some "quotes".`,
167 "<p>Here are <script> some "quotes".</p>\n",
168
169 // Same test for an unknown element that does not switch into raw mode.
170 `Here are <eviltag> some "quotes".`,
171 "<p>Here are <eviltag> some "quotes".</p>\n",
172 }
173 doTestsSanitize(t, tests)
174}
175
176func TestSanitizeSelfClosingTag(t *testing.T) {
177 tests := []string{
178 "<hr>\n",
179 "<hr>\n",
180
181 "<hr/>\n",
182 "<hr/>\n",
183
184 // Make sure that evil attributes are stripped for self closing tags.
185 "<hr onclick=\"evil()\"/>\n",
186 "<hr/>\n",
187 }
188 doTestsSanitize(t, tests)
189}
190
191func TestSanitizeInlineLink(t *testing.T) {
192 tests := []string{
193 "[link](javascript:evil)",
194 "<p><a>link</a></p>\n",
195 "[link](/abc)",
196 "<p><a href=\"/abc\">link</a></p>\n",
197 }
198 doTestsSanitize(t, tests)
199}