govspeak 1.1.0 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/govspeak.rb +4 -0
- data/lib/govspeak/version.rb +1 -1
- data/test/govspeak_test.rb +5 -0
- data/test/html_sanitizer_test.rb +30 -0
- data/test/html_validator_test.rb +1 -1
- metadata +5 -3
data/lib/govspeak.rb
CHANGED
data/lib/govspeak/version.rb
CHANGED
data/test/govspeak_test.rb
CHANGED
|
@@ -432,6 +432,11 @@ $CTA
|
|
|
432
432
|
end
|
|
433
433
|
end
|
|
434
434
|
|
|
435
|
+
test "can sanitize a document" do
|
|
436
|
+
document = Govspeak::Document.new("<script>doBadThings();</script>")
|
|
437
|
+
assert_equal "doBadThings();", document.to_sanitized_html
|
|
438
|
+
end
|
|
439
|
+
|
|
435
440
|
test "identifies a Govspeak document containing malicious HTML as invalid" do
|
|
436
441
|
document = Govspeak::Document.new("<script>doBadThings();</script>")
|
|
437
442
|
refute document.valid?
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
require "test_helper"
|
|
2
|
+
|
|
3
|
+
class HtmlSanitizerTest < Test::Unit::TestCase
|
|
4
|
+
|
|
5
|
+
test "disallow a script tag" do
|
|
6
|
+
html = "<script>alert('XSS')</script>"
|
|
7
|
+
assert_equal "alert('XSS')", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
test "disallow a javascript protocol in an attribute" do
|
|
11
|
+
html = %q{<a href="javascript:alert(document.location);"
|
|
12
|
+
title="Title">an example</a>}
|
|
13
|
+
assert_equal "<a title=\"Title\">an example</a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
test "disallow on* attributes" do
|
|
17
|
+
html = %q{<a href="/" onclick="alert('xss');">Link</a>}
|
|
18
|
+
assert_equal "<a href=\"/\">Link</a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
test "allow non-JS HTML content" do
|
|
22
|
+
html = "<a href='foo'>"
|
|
23
|
+
assert_equal "<a href=\"foo\"></a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
test "keep things that should be HTML entities" do
|
|
27
|
+
html = "Fortnum & Mason"
|
|
28
|
+
assert_equal "Fortnum & Mason", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
29
|
+
end
|
|
30
|
+
end
|
data/test/html_validator_test.rb
CHANGED
metadata
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
name: govspeak
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease:
|
|
5
|
-
version: 1.
|
|
5
|
+
version: 1.2.0
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- Ben Griffiths
|
|
@@ -112,6 +112,7 @@ files:
|
|
|
112
112
|
- README.md
|
|
113
113
|
- Gemfile
|
|
114
114
|
- Rakefile
|
|
115
|
+
- test/html_sanitizer_test.rb
|
|
115
116
|
- test/html_validator_test.rb
|
|
116
117
|
- test/govspeak_test_helper.rb
|
|
117
118
|
- test/govspeak_test.rb
|
|
@@ -129,7 +130,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
129
130
|
requirements:
|
|
130
131
|
- - ">="
|
|
131
132
|
- !ruby/object:Gem::Version
|
|
132
|
-
hash:
|
|
133
|
+
hash: 2266013611251793811
|
|
133
134
|
segments:
|
|
134
135
|
- 0
|
|
135
136
|
version: "0"
|
|
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
139
|
requirements:
|
|
139
140
|
- - ">="
|
|
140
141
|
- !ruby/object:Gem::Version
|
|
141
|
-
hash:
|
|
142
|
+
hash: 2266013611251793811
|
|
142
143
|
segments:
|
|
143
144
|
- 0
|
|
144
145
|
version: "0"
|
|
@@ -150,6 +151,7 @@ signing_key:
|
|
|
150
151
|
specification_version: 3
|
|
151
152
|
summary: Markup language for single domain
|
|
152
153
|
test_files:
|
|
154
|
+
- test/html_sanitizer_test.rb
|
|
153
155
|
- test/html_validator_test.rb
|
|
154
156
|
- test/govspeak_test_helper.rb
|
|
155
157
|
- test/govspeak_test.rb
|