We use cookies to ensure you get the best experience on our website
Trang chủ Khám phá
Đăng nhập
egonr
/
gogs
mirror of https://github.com/gogs/gogs
1
0
Fork 0
Các tập tin
Branch: main
Branches Tags
gogs
/
internal
/
markup
/
sanitizer_test.go

sanitizer_test.go 2.1 KB
Permalink Lịch sử Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. package markup_test
    2. 

  2. 

  3. import (
    4. 

  4. 	"testing"
    5. 

  5. 

  6. 	"github.com/stretchr/testify/assert"
    7. 

  7. 

  8. 	. "gogs.io/gogs/internal/markup"
    9. 

  9. )
    10. 

  10. 

  11. func Test_Sanitizer(t *testing.T) {
    12. 

  12. 	NewSanitizer()
    13. 

  13. 	tests := []struct {
    14. 

  14. 		input  string
    15. 

  15. 		expVal string
    16. 

  16. 	}{
    17. 

  17. 		// Regular
    18. 

  18. 		{input: `<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, expVal: `<a href="http://www.google.com" rel="nofollow">Google</a>`},
    19. 

  19. 

  20. 		// Code highlighting class
    21. 

  21. 		{input: `<code class="random string"></code>`, expVal: `<code></code>`},
    22. 

  22. 		{input: `<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, expVal: `<code></code>`},
    23. 

  23. 		{input: `<code class="language-go"></code>`, expVal: `<code class="language-go"></code>`},
    24. 

  24. 

  25. 		// Input checkbox
    26. 

  26. 		{input: `<input type="hidden">`, expVal: ``},
    27. 

  27. 		{input: `<input type="checkbox">`, expVal: `<input type="checkbox">`},
    28. 

  28. 		{input: `<input checked disabled autofocus>`, expVal: `<input checked="" disabled="">`},
    29. 

  29. 

  30. 		// Data URIs: safe image types should be allowed
    31. 

  31. 		{input: `<img src="data:image/png;base64,abc">`, expVal: `<img src="data:image/png;base64,abc">`},
    32. 

  32. 		{input: `<img src="data:image/jpeg;base64,abc">`, expVal: `<img src="data:image/jpeg;base64,abc">`},
    33. 

  33. 		{input: `<img src="data:image/gif;base64,abc">`, expVal: `<img src="data:image/gif;base64,abc">`},
    34. 

  34. 		{input: `<img src="data:image/webp;base64,abc">`, expVal: `<img src="data:image/webp;base64,abc">`},
    35. 

  35. 

  36. 		// Data URIs: text/html must be stripped to prevent XSS (GHSA-xrcr-gmf5-2r8j)
    37. 

  37. 		{input: `<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click</a>`, expVal: `Click`},
    38. 

  38. 		{input: `<a href="data:text/html,<script>alert(1)</script>">XSS</a>`, expVal: `XSS`},
    39. 

  39. 		{input: `<img src="data:text/html;base64,abc">`, expVal: ``},
    40. 

  40. 

  41. 		// Data URIs: SVG must be stripped (can contain embedded JavaScript)
    42. 

  42. 		{input: `<img src="data:image/svg+xml;base64,abc">`, expVal: ``},
    43. 

  43. 	}
    44. 

  44. 	for _, test := range tests {
    45. 

  45. 		t.Run(test.input, func(t *testing.T) {
    46. 

  46. 			assert.Equal(t, test.expVal, Sanitize(test.input))
    47. 

  47. 			assert.Equal(t, test.expVal, string(SanitizeBytes([]byte(test.input))))
    48. 

  48. 		})
    49. 

  49. 	}
    50. 

  50. }
    51.