Move sanitization tests into their own file. Also adds an explicit test for [link](...) syntax to be sanitized.
Martin Probst martin@probst.io
Sat, 03 May 2014 14:37:23 +0200
2 files changed,
197 insertions(+),
180 deletions(-)
M
inline_test.go
→
inline_test.go
@@ -69,186 +69,6 @@ }
} } -func TestRawHtmlTag(t *testing.T) { - tests := []string{ - "zz <style>p {}</style>\n", - "<p>zz <style>p {}</style></p>\n", - - "zz <STYLE>p {}</STYLE>\n", - "<p>zz <style>p {}</style></p>\n", - - "<SCRIPT>alert()</SCRIPT>\n", - "<p><script>alert()</script></p>\n", - - "zz <SCRIPT>alert()</SCRIPT>\n", - "<p>zz <script>alert()</script></p>\n", - - "zz <script>alert()</script>\n", - "<p>zz <script>alert()</script></p>\n", - - " <script>alert()</script>\n", - "<p><script>alert()</script></p>\n", - - "<script>alert()</script>\n", - "<script>alert()</script>\n", - - "<script src='foo'></script>\n", - "<script src='foo'></script>\n", - - "<script src='a>b'></script>\n", - "<script src='a>b'></script>\n", - - "zz <script src='foo'></script>\n", - "<p>zz <script src='foo'></script></p>\n", - - "zz <script src=foo></script>\n", - "<p>zz <script src=foo></script></p>\n", - - `<script><script src="http://example.com/exploit.js"></SCRIPT></script>`, - "<script><script src="http://example.com/exploit.js"></script></script>\n", - - `'';!--"<XSS>=&{()}`, - "<p>'';!--"<xss>=&{()}</p>\n", - - "<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>", - "<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n", - - "<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>", - "<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n", - - `<IMG SRC="javascript:alert('XSS');">`, - "<p><img></p>\n", - - "<IMG SRC=javascript:alert('XSS')>", - "<p><img></p>\n", - - "<IMG SRC=JaVaScRiPt:alert('XSS')>", - "<p><img></p>\n", - - "<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>", - "<p><img></p>\n", - - `<a onmouseover="alert(document.cookie)">xss link</a>`, - "<p><a>xss link</a></p>\n", - - "<a onmouseover=alert(document.cookie)>xss link</a>", - "<p><a>xss link</a></p>\n", - - `<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`, - "<p><img><script>alert("XSS")</script>"></p>\n", - - "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", - "<p><img></p>\n", - - `<IMG SRC=# onmouseover="alert('xxs')">`, - "<p><img></p>\n", - - `<IMG SRC= onmouseover="alert('xxs')">`, - "<p><img></p>\n", - - `<IMG onmouseover="alert('xxs')">`, - "<p><img></p>\n", - - "<IMG SRC=javascript:alert('XSS')>", - "<p><img></p>\n", - - "<IMG SRC=javascript:alert('XSS')>", - "<p><img></p>\n", - - "<IMG SRC=javascript:alert('XSS')>", - "<p><img></p>\n", - - `<IMG SRC="javascriptascript:alert('XSS');">`, - "<p><img></p>\n", - - `<IMG SRC="jav	ascript:alert('XSS');">`, - "<p><img></p>\n", - - `<IMG SRC="jav
ascript:alert('XSS');">`, - "<p><img></p>\n", - - `<IMG SRC="jav
ascript:alert('XSS');">`, - "<p><img></p>\n", - - `<IMG SRC="  javascript:alert('XSS');">`, - "<p><img></p>\n", - - `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, - "<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n", - - "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", - "<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n", - - `<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, - "<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n", - - `<<SCRIPT>alert("XSS");//<</SCRIPT>`, - "<p><<script>alert("XSS");//<</script></p>\n", - - "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", - "<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n", - - "<SCRIPT SRC=//ha.ckers.org/.j>", - "<p><script SRC=//ha.ckers.org/.j></p>\n", - - `<IMG SRC="javascript:alert('XSS')"`, - "<p><IMG SRC="javascript:alert('XSS')"</p>\n", - - "<iframe src=http://ha.ckers.org/scriptlet.html <", - // The hyperlink gets linkified, the <iframe> gets escaped - "<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n", - - // Additonal token types: SelfClosing, Comment, DocType. - "<br/>", - "<p><br/></p>\n", - - "<!-- Comment -->", - "<!-- Comment -->\n", - - "<!DOCTYPE test>", - "<p><!DOCTYPE test></p>\n", - } - doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) -} - -func TestQuoteEscaping(t *testing.T) { - tests := []string{ - // Make sure quotes are transported correctly (different entities or - // unicode, but correct semantics) - "<p>Here are some "quotes".</p>\n", - "<p>Here are some "quotes".</p>\n", - - "<p>Here are some “quotes”.</p>\n", - "<p>Here are some \u201Cquotes\u201D.</p>\n", - - // Within a <script> tag, content gets parsed by the raw text parsing rules. - // This test makes sure we correctly disable those parsing rules and do not - // escape e.g. the closing </p>. - `Here are <script> some "quotes".`, - "<p>Here are <script> some "quotes".</p>\n", - - // Same test for an unknown element that does not switch into raw mode. - `Here are <eviltag> some "quotes".`, - "<p>Here are <eviltag> some "quotes".</p>\n", - } - doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) -} - -func TestSanitizeSelfClosingTag(t *testing.T) { - tests := []string{ - "<hr>\n", - "<hr>\n", - - "<hr/>\n", - "<hr/>\n", - - // Make sure that evil attributes are stripped for self closing tags. - "<hr onclick=\"evil()\"/>\n", - "<hr/>\n", - } - doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) -} - func TestEmphasis(t *testing.T) { var tests = []string{ "nothing inline\n",
A
sanitize_test.go
@@ -0,0 +1,197 @@
+package blackfriday + +import ( + "testing" +) + +func doTestsSanitize(t *testing.T, tests []string) { + doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT) +} + +func TestSanitizeRawHtmlTag(t *testing.T) { + tests := []string{ + "zz <style>p {}</style>\n", + "<p>zz <style>p {}</style></p>\n", + + "zz <STYLE>p {}</STYLE>\n", + "<p>zz <style>p {}</style></p>\n", + + "<SCRIPT>alert()</SCRIPT>\n", + "<p><script>alert()</script></p>\n", + + "zz <SCRIPT>alert()</SCRIPT>\n", + "<p>zz <script>alert()</script></p>\n", + + "zz <script>alert()</script>\n", + "<p>zz <script>alert()</script></p>\n", + + " <script>alert()</script>\n", + "<p><script>alert()</script></p>\n", + + "<script>alert()</script>\n", + "<script>alert()</script>\n", + + "<script src='foo'></script>\n", + "<script src='foo'></script>\n", + + "<script src='a>b'></script>\n", + "<script src='a>b'></script>\n", + + "zz <script src='foo'></script>\n", + "<p>zz <script src='foo'></script></p>\n", + + "zz <script src=foo></script>\n", + "<p>zz <script src=foo></script></p>\n", + + `<script><script src="http://example.com/exploit.js"></SCRIPT></script>`, + "<script><script src="http://example.com/exploit.js"></script></script>\n", + + `'';!--"<XSS>=&{()}`, + "<p>'';!--"<xss>=&{()}</p>\n", + + "<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>", + "<p><script SRC=http://ha.ckers.org/xss.js></script></p>\n", + + "<SCRIPT \nSRC=http://ha.ckers.org/xss.js></SCRIPT>", + "<p><script \nSRC=http://ha.ckers.org/xss.js></script></p>\n", + + `<IMG SRC="javascript:alert('XSS');">`, + "<p><img></p>\n", + + "<IMG SRC=javascript:alert('XSS')>", + "<p><img></p>\n", + + "<IMG SRC=JaVaScRiPt:alert('XSS')>", + "<p><img></p>\n", + + "<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>", + "<p><img></p>\n", + + `<a onmouseover="alert(document.cookie)">xss link</a>`, + "<p><a>xss link</a></p>\n", + + "<a onmouseover=alert(document.cookie)>xss link</a>", + "<p><a>xss link</a></p>\n", + + `<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`, + "<p><img><script>alert("XSS")</script>"></p>\n", + + "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>", + "<p><img></p>\n", + + `<IMG SRC=# onmouseover="alert('xxs')">`, + "<p><img></p>\n", + + `<IMG SRC= onmouseover="alert('xxs')">`, + "<p><img></p>\n", + + `<IMG onmouseover="alert('xxs')">`, + "<p><img></p>\n", + + "<IMG SRC=javascript:alert('XSS')>", + "<p><img></p>\n", + + "<IMG SRC=javascript:alert('XSS')>", + "<p><img></p>\n", + + "<IMG SRC=javascript:alert('XSS')>", + "<p><img></p>\n", + + `<IMG SRC="javascriptascript:alert('XSS');">`, + "<p><img></p>\n", + + `<IMG SRC="jav	ascript:alert('XSS');">`, + "<p><img></p>\n", + + `<IMG SRC="jav
ascript:alert('XSS');">`, + "<p><img></p>\n", + + `<IMG SRC="jav
ascript:alert('XSS');">`, + "<p><img></p>\n", + + `<IMG SRC="  javascript:alert('XSS');">`, + "<p><img></p>\n", + + `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, + "<p><script/XSS SRC="http://ha.ckers.org/xss.js"></script></p>\n", + + "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", + "<p><body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")></p>\n", + + `<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, + "<p><script/SRC="http://ha.ckers.org/xss.js"></script></p>\n", + + `<<SCRIPT>alert("XSS");//<</SCRIPT>`, + "<p><<script>alert("XSS");//<</script></p>\n", + + "<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >", + "<p><script SRC=http://ha.ckers.org/xss.js?< B ></p>\n", + + "<SCRIPT SRC=//ha.ckers.org/.j>", + "<p><script SRC=//ha.ckers.org/.j></p>\n", + + `<IMG SRC="javascript:alert('XSS')"`, + "<p><IMG SRC="javascript:alert('XSS')"</p>\n", + + "<iframe src=http://ha.ckers.org/scriptlet.html <", + // The hyperlink gets linkified, the <iframe> gets escaped + "<p><iframe src=<a href=\"http://ha.ckers.org/scriptlet.html\">http://ha.ckers.org/scriptlet.html</a> <</p>\n", + + // Additonal token types: SelfClosing, Comment, DocType. + "<br/>", + "<p><br/></p>\n", + + "<!-- Comment -->", + "<!-- Comment -->\n", + + "<!DOCTYPE test>", + "<p><!DOCTYPE test></p>\n", + } + doTestsSanitize(t, tests) +} + +func TestSanitizeQuoteEscaping(t *testing.T) { + tests := []string{ + // Make sure quotes are transported correctly (different entities or + // unicode, but correct semantics) + "<p>Here are some "quotes".</p>\n", + "<p>Here are some "quotes".</p>\n", + + "<p>Here are some “quotes”.</p>\n", + "<p>Here are some \u201Cquotes\u201D.</p>\n", + + // Within a <script> tag, content gets parsed by the raw text parsing rules. + // This test makes sure we correctly disable those parsing rules and do not + // escape e.g. the closing </p>. + `Here are <script> some "quotes".`, + "<p>Here are <script> some "quotes".</p>\n", + + // Same test for an unknown element that does not switch into raw mode. + `Here are <eviltag> some "quotes".`, + "<p>Here are <eviltag> some "quotes".</p>\n", + } + doTestsSanitize(t, tests) +} + +func TestSanitizeSelfClosingTag(t *testing.T) { + tests := []string{ + "<hr>\n", + "<hr>\n", + + "<hr/>\n", + "<hr/>\n", + + // Make sure that evil attributes are stripped for self closing tags. + "<hr onclick=\"evil()\"/>\n", + "<hr/>\n", + } + doTestsSanitize(t, tests) +} + +func TestSanitizeInlineLink(t *testing.T) { + tests := []string{ + "[link](javascript:evil)", + "<p><a>link</a></p>\n", + } + doTestsSanitize(t, tests) +}