loofah 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- data/.gemtest +0 -0
- data/CHANGELOG.rdoc +9 -0
- data/Gemfile +19 -1
- data/Manifest.txt +2 -0
- data/README.rdoc +1 -1
- data/Rakefile +11 -3
- data/lib/loofah.rb +1 -8
- data/lib/loofah/elements.rb +5 -7
- data/lib/loofah/html/document_fragment.rb +3 -1
- data/lib/loofah/html5/scrub.rb +27 -13
- data/lib/loofah/html5/whitelist.rb +38 -35
- data/lib/loofah/instance_methods.rb +1 -1
- data/lib/loofah/metahelpers.rb +7 -9
- data/lib/loofah/scrubber.rb +1 -1
- data/lib/loofah/scrubbers.rb +5 -7
- data/lib/loofah/xml/document_fragment.rb +3 -1
- data/test/assets/testdata_sanitizer_tests1.dat +501 -0
- data/test/helper.rb +13 -3
- data/test/html5/test_sanitizer.rb +20 -17
- data/test/integration/test_ad_hoc.rb +8 -8
- data/test/integration/test_helpers.rb +6 -6
- data/test/integration/test_html.rb +11 -9
- data/test/integration/test_scrubbers.rb +58 -58
- data/test/integration/test_xml.rb +4 -4
- data/test/unit/test_api.rb +4 -4
- data/test/unit/test_encoding.rb +20 -0
- data/test/unit/test_helpers.rb +11 -11
- data/test/unit/test_scrubber.rb +35 -35
- data/test/unit/test_scrubbers.rb +3 -3
- metadata +108 -51
@@ -0,0 +1,501 @@
|
|
1
|
+
[
|
2
|
+
{
|
3
|
+
"name": "IE_Comments",
|
4
|
+
"input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
|
5
|
+
"output": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->"
|
6
|
+
},
|
7
|
+
|
8
|
+
{
|
9
|
+
"name": "IE_Comments_2",
|
10
|
+
"input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
|
11
|
+
"output": "<script>alert('XSS');</script>",
|
12
|
+
"rexml": "Ill-formed XHTML!"
|
13
|
+
},
|
14
|
+
|
15
|
+
{
|
16
|
+
"name": "allow_colons_in_path_component",
|
17
|
+
"input": "<a href=\"./this:that\">foo</a>",
|
18
|
+
"output": "<a href='./this:that'>foo</a>"
|
19
|
+
},
|
20
|
+
|
21
|
+
{
|
22
|
+
"name": "background_attribute",
|
23
|
+
"input": "<div background=\"javascript:alert('XSS')\"></div>",
|
24
|
+
"output": "<div/>",
|
25
|
+
"xhtml": "<div></div>",
|
26
|
+
"rexml": "<div></div>"
|
27
|
+
},
|
28
|
+
|
29
|
+
{
|
30
|
+
"name": "bgsound",
|
31
|
+
"input": "<bgsound src=\"javascript:alert('XSS');\" />",
|
32
|
+
"output": "<bgsound src=\"javascript:alert('XSS');\"/>",
|
33
|
+
"rexml": "<bgsound src=\"javascript:alert('XSS');\"></bgsound>"
|
34
|
+
},
|
35
|
+
|
36
|
+
{
|
37
|
+
"name": "div_background_image_unicode_encoded",
|
38
|
+
"input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>",
|
39
|
+
"output": "<div style=''>foo</div>"
|
40
|
+
},
|
41
|
+
|
42
|
+
{
|
43
|
+
"name": "div_expression",
|
44
|
+
"input": "<div style=\"width: expression(alert('XSS'));\">foo</div>",
|
45
|
+
"output": "<div style=''>foo</div>"
|
46
|
+
},
|
47
|
+
|
48
|
+
{
|
49
|
+
"name": "double_open_angle_brackets",
|
50
|
+
"input": "<img src=http://ha.ckers.org/scriptlet.html <",
|
51
|
+
"output": "<img src='http://ha.ckers.org/scriptlet.html'>",
|
52
|
+
"rexml": "Ill-formed XHTML!"
|
53
|
+
},
|
54
|
+
|
55
|
+
{
|
56
|
+
"name": "double_open_angle_brackets_2",
|
57
|
+
"input": "<script src=http://ha.ckers.org/scriptlet.html <",
|
58
|
+
"output": "<script src=\"http://ha.ckers.org/scriptlet.html\"></script>",
|
59
|
+
"rexml": "Ill-formed XHTML!"
|
60
|
+
},
|
61
|
+
|
62
|
+
{
|
63
|
+
"name": "grave_accents",
|
64
|
+
"input": "<img src=`javascript:alert('XSS')` />",
|
65
|
+
"output": "<img>",
|
66
|
+
"rexml": "Ill-formed XHTML!"
|
67
|
+
},
|
68
|
+
|
69
|
+
{
|
70
|
+
"name": "img_dynsrc_lowsrc",
|
71
|
+
"input": "<img dynsrc=\"javascript:alert('XSS')\" />",
|
72
|
+
"output": "<img>",
|
73
|
+
"rexml": "<img />"
|
74
|
+
},
|
75
|
+
|
76
|
+
{
|
77
|
+
"name": "img_vbscript",
|
78
|
+
"input": "<img src='vbscript:msgbox(\"XSS\")' />",
|
79
|
+
"output": "<img>",
|
80
|
+
"rexml": "<img />"
|
81
|
+
},
|
82
|
+
|
83
|
+
{
|
84
|
+
"name": "input_image",
|
85
|
+
"input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />",
|
86
|
+
"output": "<input type='image'>",
|
87
|
+
"rexml": "<input type='image' />"
|
88
|
+
},
|
89
|
+
|
90
|
+
{
|
91
|
+
"name": "link_stylesheets",
|
92
|
+
"input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
|
93
|
+
"output": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\">",
|
94
|
+
"rexml": "<link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/>"
|
95
|
+
},
|
96
|
+
|
97
|
+
{
|
98
|
+
"name": "link_stylesheets_2",
|
99
|
+
"input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
|
100
|
+
"output": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\">",
|
101
|
+
"rexml": "<link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/>"
|
102
|
+
},
|
103
|
+
|
104
|
+
{
|
105
|
+
"name": "list_style_image",
|
106
|
+
"input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>",
|
107
|
+
"output": "<li style=''>foo</li>"
|
108
|
+
},
|
109
|
+
|
110
|
+
{
|
111
|
+
"name": "no_closing_script_tags",
|
112
|
+
"input": "<script src=http://ha.ckers.org/xss.js?<b>",
|
113
|
+
"output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\"></script>",
|
114
|
+
"rexml": "Ill-formed XHTML!"
|
115
|
+
},
|
116
|
+
|
117
|
+
{
|
118
|
+
"name": "non_alpha_non_digit",
|
119
|
+
"input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
|
120
|
+
"output": "<script src=\"http://ha.ckers.org/xss.js\"></script>",
|
121
|
+
"rexml": "Ill-formed XHTML!"
|
122
|
+
},
|
123
|
+
|
124
|
+
{
|
125
|
+
"name": "non_alpha_non_digit_2",
|
126
|
+
"input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>",
|
127
|
+
"output": "<a>foo</a>",
|
128
|
+
"rexml": "Ill-formed XHTML!"
|
129
|
+
},
|
130
|
+
|
131
|
+
{
|
132
|
+
"name": "non_alpha_non_digit_3",
|
133
|
+
"input": "<img/src=\"http://ha.ckers.org/xss.js\"/>",
|
134
|
+
"output": "<img>",
|
135
|
+
"rexml": "Ill-formed XHTML!"
|
136
|
+
},
|
137
|
+
|
138
|
+
{
|
139
|
+
"name": "non_alpha_non_digit_II",
|
140
|
+
"input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>",
|
141
|
+
"output": "<a href>foo</a>",
|
142
|
+
"rexml": "Ill-formed XHTML!"
|
143
|
+
},
|
144
|
+
|
145
|
+
{
|
146
|
+
"name": "non_alpha_non_digit_III",
|
147
|
+
"input": "<a/href=\"javascript:alert('XSS');\">foo</a>",
|
148
|
+
"output": "<a>foo</a>",
|
149
|
+
"rexml": "Ill-formed XHTML!"
|
150
|
+
},
|
151
|
+
|
152
|
+
{
|
153
|
+
"name": "platypus",
|
154
|
+
"input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
|
155
|
+
"output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-repeat: repeat;'>never trust your upstream platypus</a>"
|
156
|
+
},
|
157
|
+
|
158
|
+
{
|
159
|
+
"name": "protocol_resolution_in_script_tag",
|
160
|
+
"input": "<script src=//ha.ckers.org/.j></script>",
|
161
|
+
"output": "<script src=\"//ha.ckers.org/.j\"></script>",
|
162
|
+
"rexml": "Ill-formed XHTML!"
|
163
|
+
},
|
164
|
+
|
165
|
+
{
|
166
|
+
"name": "should_allow_anchors",
|
167
|
+
"input": "<a href='foo' onclick='bar'><script>baz</script></a>",
|
168
|
+
"output": "<a href='foo'><script>baz</script></a>"
|
169
|
+
},
|
170
|
+
|
171
|
+
{
|
172
|
+
"name": "should_allow_image_alt_attribute",
|
173
|
+
"input": "<img alt='foo' onclick='bar' />",
|
174
|
+
"output": "<img alt='foo'>",
|
175
|
+
"rexml": "<img alt='foo' />"
|
176
|
+
},
|
177
|
+
|
178
|
+
{
|
179
|
+
"name": "should_allow_image_height_attribute",
|
180
|
+
"input": "<img height='foo' onclick='bar' />",
|
181
|
+
"output": "<img height='foo'>",
|
182
|
+
"rexml": "<img height='foo' />"
|
183
|
+
},
|
184
|
+
|
185
|
+
{
|
186
|
+
"name": "should_allow_image_src_attribute",
|
187
|
+
"input": "<img src='foo' onclick='bar' />",
|
188
|
+
"output": "<img src='foo'>",
|
189
|
+
"rexml": "<img src='foo' />"
|
190
|
+
},
|
191
|
+
|
192
|
+
{
|
193
|
+
"name": "should_allow_image_width_attribute",
|
194
|
+
"input": "<img width='foo' onclick='bar' />",
|
195
|
+
"output": "<img width='foo'>",
|
196
|
+
"rexml": "<img width='foo' />"
|
197
|
+
},
|
198
|
+
|
199
|
+
{
|
200
|
+
"name": "should_handle_blank_text",
|
201
|
+
"input": "",
|
202
|
+
"output": ""
|
203
|
+
},
|
204
|
+
|
205
|
+
{
|
206
|
+
"name": "should_handle_malformed_image_tags",
|
207
|
+
"input": "<img \"\"\"><script>alert(\"XSS\")</script>\">",
|
208
|
+
"output": "<img><script>alert(\"XSS\")</script>\">",
|
209
|
+
"rexml": "Ill-formed XHTML!"
|
210
|
+
},
|
211
|
+
|
212
|
+
{
|
213
|
+
"name": "should_handle_non_html",
|
214
|
+
"input": "abc",
|
215
|
+
"output": "abc"
|
216
|
+
},
|
217
|
+
|
218
|
+
{
|
219
|
+
"name": "should_not_fall_for_ridiculous_hack",
|
220
|
+
"input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />",
|
221
|
+
"output": "<img>",
|
222
|
+
"rexml": "<img />"
|
223
|
+
},
|
224
|
+
|
225
|
+
{
|
226
|
+
"name": "should_not_fall_for_xss_image_hack_0",
|
227
|
+
"input": "<img src=\"javascript:alert('XSS');\" />",
|
228
|
+
"output": "<img>",
|
229
|
+
"rexml": "<img />"
|
230
|
+
},
|
231
|
+
|
232
|
+
{
|
233
|
+
"name": "should_not_fall_for_xss_image_hack_1",
|
234
|
+
"input": "<img src=javascript:alert('XSS') />",
|
235
|
+
"output": "<img>",
|
236
|
+
"rexml": "Ill-formed XHTML!"
|
237
|
+
},
|
238
|
+
|
239
|
+
{
|
240
|
+
"name": "should_not_fall_for_xss_image_hack_10",
|
241
|
+
"input": "<img src=\"jav
ascript:alert('XSS');\" />",
|
242
|
+
"output": "<img>",
|
243
|
+
"rexml": "<img />"
|
244
|
+
},
|
245
|
+
|
246
|
+
{
|
247
|
+
"name": "should_not_fall_for_xss_image_hack_11",
|
248
|
+
"input": "<img src=\"jav
ascript:alert('XSS');\" />",
|
249
|
+
"output": "<img>",
|
250
|
+
"rexml": "<img />"
|
251
|
+
},
|
252
|
+
|
253
|
+
{
|
254
|
+
"name": "should_not_fall_for_xss_image_hack_12",
|
255
|
+
"input": "<img src=\"  javascript:alert('XSS');\" />",
|
256
|
+
"output": "<img src=''>",
|
257
|
+
"rexml": "<img />"
|
258
|
+
},
|
259
|
+
|
260
|
+
{
|
261
|
+
"name": "should_not_fall_for_xss_image_hack_13",
|
262
|
+
"input": "<img src=\" javascript:alert('XSS');\" />",
|
263
|
+
"output": "<img>",
|
264
|
+
"rexml": "<img />"
|
265
|
+
},
|
266
|
+
|
267
|
+
{
|
268
|
+
"name": "should_not_fall_for_xss_image_hack_14",
|
269
|
+
"input": "<img src=\" javascript:alert('XSS');\" />",
|
270
|
+
"output": "<img>",
|
271
|
+
"rexml": "<img />"
|
272
|
+
},
|
273
|
+
|
274
|
+
{
|
275
|
+
"name": "should_not_fall_for_xss_image_hack_2",
|
276
|
+
"input": "<img src=\"JaVaScRiPt:alert('XSS')\" />",
|
277
|
+
"output": "<img>",
|
278
|
+
"rexml": "<img />"
|
279
|
+
},
|
280
|
+
|
281
|
+
{
|
282
|
+
"name": "should_not_fall_for_xss_image_hack_3",
|
283
|
+
"input": "<img src='javascript:alert("XSS")' />",
|
284
|
+
"output": "<img>",
|
285
|
+
"rexml": "<img />"
|
286
|
+
},
|
287
|
+
|
288
|
+
{
|
289
|
+
"name": "should_not_fall_for_xss_image_hack_4",
|
290
|
+
"input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />",
|
291
|
+
"output": "<img>",
|
292
|
+
"rexml": "<img />"
|
293
|
+
},
|
294
|
+
|
295
|
+
{
|
296
|
+
"name": "should_not_fall_for_xss_image_hack_5",
|
297
|
+
"input": "<img src='javascript:alert('XSS')' />",
|
298
|
+
"output": "<img>",
|
299
|
+
"rexml": "<img />"
|
300
|
+
},
|
301
|
+
|
302
|
+
{
|
303
|
+
"name": "should_not_fall_for_xss_image_hack_6",
|
304
|
+
"input": "<img src='javascript:alert('XSS')' />",
|
305
|
+
"output": "<img>",
|
306
|
+
"rexml": "<img />"
|
307
|
+
},
|
308
|
+
|
309
|
+
{
|
310
|
+
"name": "should_not_fall_for_xss_image_hack_7",
|
311
|
+
"input": "<img src='javascript:alert('XSS')' />",
|
312
|
+
"output": "<img>",
|
313
|
+
"rexml": "<img />"
|
314
|
+
},
|
315
|
+
|
316
|
+
{
|
317
|
+
"name": "should_not_fall_for_xss_image_hack_8",
|
318
|
+
"input": "<img src=\"jav\tascript:alert('XSS');\" />",
|
319
|
+
"output": "<img>",
|
320
|
+
"rexml": "<img />"
|
321
|
+
},
|
322
|
+
|
323
|
+
{
|
324
|
+
"name": "should_not_fall_for_xss_image_hack_9",
|
325
|
+
"input": "<img src=\"jav	ascript:alert('XSS');\" />",
|
326
|
+
"output": "<img>",
|
327
|
+
"rexml": "<img />"
|
328
|
+
},
|
329
|
+
|
330
|
+
{
|
331
|
+
"name": "should_sanitize_half_open_scripts",
|
332
|
+
"input": "<img src=\"javascript:alert('XSS')\"",
|
333
|
+
"output": "<img>",
|
334
|
+
"rexml": "Ill-formed XHTML!"
|
335
|
+
},
|
336
|
+
|
337
|
+
{
|
338
|
+
"name": "should_sanitize_invalid_script_tag",
|
339
|
+
"input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
|
340
|
+
"output": "<script src=\"http://ha.ckers.org/xss.js\"></script>",
|
341
|
+
"rexml": "Ill-formed XHTML!"
|
342
|
+
},
|
343
|
+
|
344
|
+
{
|
345
|
+
"name": "should_sanitize_script_tag_with_multiple_open_brackets",
|
346
|
+
"input": "<<script>alert(\"XSS\");//<</script>",
|
347
|
+
"output": "alert(\"XSS\");//",
|
348
|
+
"rexml": "Ill-formed XHTML!"
|
349
|
+
},
|
350
|
+
|
351
|
+
{
|
352
|
+
"name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
|
353
|
+
"input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
|
354
|
+
"output": "<iframe src=\"http://ha.ckers.org/scriptlet.html\"></iframe>",
|
355
|
+
"rexml": "Ill-formed XHTML!"
|
356
|
+
},
|
357
|
+
|
358
|
+
{
|
359
|
+
"name": "should_sanitize_tag_broken_up_by_null",
|
360
|
+
"input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
|
361
|
+
"output": "<scr></scr>",
|
362
|
+
"rexml": "Ill-formed XHTML!"
|
363
|
+
},
|
364
|
+
|
365
|
+
{
|
366
|
+
"name": "should_sanitize_unclosed_script",
|
367
|
+
"input": "<script src=http://ha.ckers.org/xss.js?<b>",
|
368
|
+
"output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\"></script>",
|
369
|
+
"rexml": "Ill-formed XHTML!"
|
370
|
+
},
|
371
|
+
|
372
|
+
{
|
373
|
+
"name": "should_strip_href_attribute_in_a_with_bad_protocols",
|
374
|
+
"input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>",
|
375
|
+
"output": "<a title='1'>boo</a>"
|
376
|
+
},
|
377
|
+
|
378
|
+
{
|
379
|
+
"name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace",
|
380
|
+
"input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>",
|
381
|
+
"output": "<a title='1'>boo</a>"
|
382
|
+
},
|
383
|
+
|
384
|
+
{
|
385
|
+
"name": "should_strip_src_attribute_in_img_with_bad_protocols",
|
386
|
+
"input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>",
|
387
|
+
"output": "<img title='1'>boo",
|
388
|
+
"rexml": "<img title='1' />"
|
389
|
+
},
|
390
|
+
|
391
|
+
{
|
392
|
+
"name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace",
|
393
|
+
"input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>",
|
394
|
+
"output": "<img title='1'>boo",
|
395
|
+
"rexml": "<img title='1' />"
|
396
|
+
},
|
397
|
+
|
398
|
+
{
|
399
|
+
"name": "xml_base",
|
400
|
+
"input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>",
|
401
|
+
"output": "<div>foo</div>"
|
402
|
+
},
|
403
|
+
|
404
|
+
{
|
405
|
+
"name": "xul",
|
406
|
+
"input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>",
|
407
|
+
"output": "<p style=''>fubar</p>"
|
408
|
+
},
|
409
|
+
|
410
|
+
{
|
411
|
+
"name": "quotes_in_attributes",
|
412
|
+
"input": "<img src='foo' title='\"foo\" bar' />",
|
413
|
+
"rexml": "<img src='foo' title='\"foo\" bar' />",
|
414
|
+
"output": "<img src='foo' title='\"foo\" bar'>"
|
415
|
+
},
|
416
|
+
|
417
|
+
{
|
418
|
+
"name": "uri_refs_in_svg_attributes",
|
419
|
+
"input": "<rect fill='url(#foo)' />",
|
420
|
+
"rexml": "<rect fill='url(#foo)'></rect>",
|
421
|
+
"xhtml": "<rect fill='url(#foo)'></rect>",
|
422
|
+
"output": "<rect fill='url(#foo)'/>"
|
423
|
+
},
|
424
|
+
|
425
|
+
{
|
426
|
+
"name": "absolute_uri_refs_in_svg_attributes",
|
427
|
+
"input": "<rect fill='url(http://bad.com/) #fff' />",
|
428
|
+
"rexml": "<rect fill=' #fff'></rect>",
|
429
|
+
"xhtml": "<rect fill=' #fff'></rect>",
|
430
|
+
"output": "<rect fill=' #fff'/>"
|
431
|
+
},
|
432
|
+
|
433
|
+
{
|
434
|
+
"name": "uri_ref_with_space_in svg_attribute",
|
435
|
+
"input": "<rect fill='url(\n#foo)' />",
|
436
|
+
"rexml": "<rect fill='url(\n#foo)'></rect>",
|
437
|
+
"xhtml": "<rect fill='url(\n#foo)'></rect>",
|
438
|
+
"output": "<rect fill='url(\n#foo)'/>"
|
439
|
+
},
|
440
|
+
|
441
|
+
{
|
442
|
+
"name": "absolute_uri_ref_with_space_in svg_attribute",
|
443
|
+
"input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
|
444
|
+
"rexml": "<rect fill=' '></rect>",
|
445
|
+
"xhtml": "<rect fill=' '></rect>",
|
446
|
+
"output": "<rect fill=' '/>"
|
447
|
+
},
|
448
|
+
|
449
|
+
{
|
450
|
+
"name": "allow_html5_image_tag",
|
451
|
+
"input": "<image src='foo' />",
|
452
|
+
"rexml": "<image src=\"foo\"></image>",
|
453
|
+
"output": "<image src=\"foo\"/>"
|
454
|
+
},
|
455
|
+
|
456
|
+
{
|
457
|
+
"name": "style_attr_end_with_nothing",
|
458
|
+
"input": "<div style=\"color: blue\" />",
|
459
|
+
"output": "<div style='color: blue;'/>",
|
460
|
+
"xhtml": "<div style='color: blue;'></div>",
|
461
|
+
"rexml": "<div style='color: blue;'></div>"
|
462
|
+
},
|
463
|
+
|
464
|
+
{
|
465
|
+
"name": "style_attr_end_with_space",
|
466
|
+
"input": "<div style=\"color: blue \" />",
|
467
|
+
"output": "<div style='color: blue ;'/>",
|
468
|
+
"xhtml": "<div style='color: blue ;'></div>",
|
469
|
+
"rexml": "<div style='color: blue ;'></div>"
|
470
|
+
},
|
471
|
+
|
472
|
+
{
|
473
|
+
"name": "style_attr_end_with_semicolon",
|
474
|
+
"input": "<div style=\"color: blue;\" />",
|
475
|
+
"output": "<div style='color: blue;'/>",
|
476
|
+
"xhtml": "<div style='color: blue;'></div>",
|
477
|
+
"rexml": "<div style='color: blue;'></div>"
|
478
|
+
},
|
479
|
+
|
480
|
+
{
|
481
|
+
"name": "style_attr_end_with_semicolon_space",
|
482
|
+
"input": "<div style=\"color: blue; \" />",
|
483
|
+
"output": "<div style='color: blue;'/>",
|
484
|
+
"xhtml": "<div style='color: blue;'></div>",
|
485
|
+
"rexml": "<div style='color: blue;'></div>"
|
486
|
+
},
|
487
|
+
|
488
|
+
{
|
489
|
+
"name": "attributes_with_embedded_quotes",
|
490
|
+
"input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
|
491
|
+
"output": "<img src='doesntexist.jpg%22'onerror=%22alert(1)'>",
|
492
|
+
"rexml": "Ill-formed XHTML!"
|
493
|
+
},
|
494
|
+
|
495
|
+
{
|
496
|
+
"name": "attributes_with_embedded_quotes_II",
|
497
|
+
"input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
|
498
|
+
"output": "<img src='notthere.jpg%22%22onerror=%22alert(2)'>",
|
499
|
+
"rexml": "Ill-formed XHTML!"
|
500
|
+
}
|
501
|
+
]
|