loofah 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- data/.gemtest +0 -0
- data/CHANGELOG.rdoc +9 -0
- data/Gemfile +19 -1
- data/Manifest.txt +2 -0
- data/README.rdoc +1 -1
- data/Rakefile +11 -3
- data/lib/loofah.rb +1 -8
- data/lib/loofah/elements.rb +5 -7
- data/lib/loofah/html/document_fragment.rb +3 -1
- data/lib/loofah/html5/scrub.rb +27 -13
- data/lib/loofah/html5/whitelist.rb +38 -35
- data/lib/loofah/instance_methods.rb +1 -1
- data/lib/loofah/metahelpers.rb +7 -9
- data/lib/loofah/scrubber.rb +1 -1
- data/lib/loofah/scrubbers.rb +5 -7
- data/lib/loofah/xml/document_fragment.rb +3 -1
- data/test/assets/testdata_sanitizer_tests1.dat +501 -0
- data/test/helper.rb +13 -3
- data/test/html5/test_sanitizer.rb +20 -17
- data/test/integration/test_ad_hoc.rb +8 -8
- data/test/integration/test_helpers.rb +6 -6
- data/test/integration/test_html.rb +11 -9
- data/test/integration/test_scrubbers.rb +58 -58
- data/test/integration/test_xml.rb +4 -4
- data/test/unit/test_api.rb +4 -4
- data/test/unit/test_encoding.rb +20 -0
- data/test/unit/test_helpers.rb +11 -11
- data/test/unit/test_scrubber.rb +35 -35
- data/test/unit/test_scrubbers.rb +3 -3
- metadata +108 -51
data/test/helper.rb
CHANGED
|
@@ -1,7 +1,17 @@
|
|
|
1
1
|
require 'rubygems'
|
|
2
|
-
require '
|
|
3
|
-
require '
|
|
4
|
-
require '
|
|
2
|
+
require 'rr'
|
|
3
|
+
require 'minitest/unit'
|
|
4
|
+
require 'minitest/spec'
|
|
5
|
+
require 'minitest/autorun'
|
|
6
|
+
|
|
5
7
|
require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah"))
|
|
6
8
|
|
|
7
9
|
puts "=> testing with Nokogiri #{Nokogiri::VERSION_INFO.inspect}"
|
|
10
|
+
|
|
11
|
+
class Loofah::TestCase < MiniTest::Spec
|
|
12
|
+
include RR::Adapters::TestUnit
|
|
13
|
+
|
|
14
|
+
class << self
|
|
15
|
+
alias_method :context, :describe
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -4,10 +4,9 @@
|
|
|
4
4
|
#
|
|
5
5
|
# license text at the bottom of this file
|
|
6
6
|
#
|
|
7
|
-
require
|
|
8
|
-
require 'json'
|
|
7
|
+
require "helper"
|
|
9
8
|
|
|
10
|
-
class Html5TestSanitizer <
|
|
9
|
+
class Html5TestSanitizer < Loofah::TestCase
|
|
11
10
|
include Loofah
|
|
12
11
|
|
|
13
12
|
def sanitize_xhtml stream
|
|
@@ -21,11 +20,15 @@ class Html5TestSanitizer < Test::Unit::TestCase
|
|
|
21
20
|
def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
|
|
22
21
|
## libxml uses double-quotes, so let's swappo-boppo our quotes before comparing.
|
|
23
22
|
sane = sanitize_html(input).gsub('"',"'")
|
|
23
|
+
htmloutput.gsub!('"',"'")
|
|
24
|
+
xhtmloutput.gsub!('"',"'")
|
|
25
|
+
rexmloutput.gsub!('"',"'")
|
|
24
26
|
|
|
25
27
|
## HTML5's parsers are shit. there's so much inconsistency with what has closing tags, etc, that
|
|
26
28
|
## it would require a lot of manual hacking to make the tests match libxml's output.
|
|
27
29
|
## instead, I'm taking the shotgun approach, and trying to match any of the described outputs.
|
|
28
|
-
assert((htmloutput == sane) || (rexmloutput == sane) || (xhtmloutput == sane),
|
|
30
|
+
assert((htmloutput == sane) || (rexmloutput == sane) || (xhtmloutput == sane),
|
|
31
|
+
%Q{given: "#{input}"\nexpected: "#{htmloutput}"\ngot: "#{sane}"})
|
|
29
32
|
end
|
|
30
33
|
|
|
31
34
|
(HTML5::WhiteList::ALLOWED_ELEMENTS).each do |tag_name|
|
|
@@ -169,18 +172,19 @@ class Html5TestSanitizer < Test::Unit::TestCase
|
|
|
169
172
|
## libxml2 here, so let's rely on the unit tests above to take care
|
|
170
173
|
## of our valid elements and attributes.
|
|
171
174
|
##
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
175
|
+
require 'json'
|
|
176
|
+
Dir[File.join(File.dirname(__FILE__), '..', 'assets', 'testdata_sanitizer_tests1.dat')].each do |filename|
|
|
177
|
+
JSON::parse(open(filename).read).each do |test|
|
|
178
|
+
it "testdata sanitizer #{test['name']}" do
|
|
179
|
+
check_sanitization(
|
|
180
|
+
test['input'],
|
|
181
|
+
test['output'],
|
|
182
|
+
test['xhtml'] || test['output'],
|
|
183
|
+
test['rexml'] || test['output']
|
|
184
|
+
)
|
|
185
|
+
end
|
|
186
|
+
end
|
|
187
|
+
end
|
|
184
188
|
|
|
185
189
|
## added because we don't have any coverage above on SVG_ATTR_VAL_ALLOWS_REF
|
|
186
190
|
HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|
|
|
@@ -206,7 +210,6 @@ class Html5TestSanitizer < Test::Unit::TestCase
|
|
|
206
210
|
rexml = "<rect fill=' '></rect>"
|
|
207
211
|
end
|
|
208
212
|
end
|
|
209
|
-
|
|
210
213
|
end
|
|
211
214
|
|
|
212
215
|
# <html5_license>
|
|
@@ -1,16 +1,16 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class IntegrationTestAdHoc < Loofah::TestCase
|
|
4
4
|
|
|
5
5
|
context "blank input string" do
|
|
6
6
|
context "fragment" do
|
|
7
|
-
|
|
7
|
+
it "return a blank string" do
|
|
8
8
|
assert_equal "", Loofah.scrub_fragment("", :prune).to_s
|
|
9
9
|
end
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
context "document" do
|
|
13
|
-
|
|
13
|
+
it "return a blank string" do
|
|
14
14
|
assert_equal "", Loofah.scrub_document("", :prune).root.to_s
|
|
15
15
|
end
|
|
16
16
|
end
|
|
@@ -49,8 +49,8 @@ class TestAdHoc < Test::Unit::TestCase
|
|
|
49
49
|
def test_css_sanitization
|
|
50
50
|
html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
|
|
51
51
|
sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
|
|
52
|
-
assert_match
|
|
53
|
-
|
|
52
|
+
assert_match %r/#000/, sane.inner_html
|
|
53
|
+
refute_match %r/foo\.com/, sane.inner_html
|
|
54
54
|
end
|
|
55
55
|
|
|
56
56
|
def test_fragment_with_no_tags
|
|
@@ -148,8 +148,8 @@ mso-bidi-language:#0400;}
|
|
|
148
148
|
|
|
149
149
|
def test_document_whitewash_on_microsofty_markup
|
|
150
150
|
whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
|
|
151
|
-
|
|
152
|
-
assert_equal "<p>Foo <b>BOLD</b></p>",
|
|
151
|
+
assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
|
|
152
|
+
assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.xpath("/html/body/*").to_s
|
|
153
153
|
end
|
|
154
154
|
|
|
155
155
|
def test_return_empty_string_when_nothing_left
|
|
@@ -1,15 +1,15 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class IntegrationTestHelpers < Loofah::TestCase
|
|
4
4
|
context "#strip_tags" do
|
|
5
5
|
context "on safe markup" do
|
|
6
|
-
|
|
6
|
+
it "strip out tags" do
|
|
7
7
|
assert_equal "omgwtfbbq!!1!", Loofah::Helpers.strip_tags("<div>omgwtfbbq</div><span>!!1!</span>")
|
|
8
8
|
end
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
context "on hack attack" do
|
|
12
|
-
|
|
12
|
+
it "strip escape html entities" do
|
|
13
13
|
bad_shit = "<script>alert('evil')</script>"
|
|
14
14
|
assert_equal bad_shit, Loofah::Helpers.strip_tags(bad_shit)
|
|
15
15
|
end
|
|
@@ -18,14 +18,14 @@ class TestHelpers < Test::Unit::TestCase
|
|
|
18
18
|
|
|
19
19
|
context "#sanitize" do
|
|
20
20
|
context "on safe markup" do
|
|
21
|
-
|
|
21
|
+
it "render the safe html" do
|
|
22
22
|
html = "<div>omgwtfbbq</div><span>!!1!</span>"
|
|
23
23
|
assert_equal html, Loofah::Helpers.sanitize(html)
|
|
24
24
|
end
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
context "on hack attack" do
|
|
28
|
-
|
|
28
|
+
it "strip the unsafe tags" do
|
|
29
29
|
assert_equal "alert('evil')<span>w00t</span>", Loofah::Helpers.sanitize("<script>alert('evil')</script><span>w00t</span>")
|
|
30
30
|
end
|
|
31
31
|
end
|
|
@@ -1,28 +1,30 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class IntegrationTestHtml < Loofah::TestCase
|
|
4
4
|
context "html fragment" do
|
|
5
5
|
context "#to_s" do
|
|
6
|
-
|
|
6
|
+
it "not include head tags (like style)" do
|
|
7
|
+
skip "depends on nokogiri version"
|
|
7
8
|
html = Loofah.fragment "<style>foo</style><div>bar</div>"
|
|
8
9
|
assert_equal "<div>bar</div>", html.to_s
|
|
9
10
|
end
|
|
10
11
|
end
|
|
11
12
|
|
|
12
13
|
context "#text" do
|
|
13
|
-
|
|
14
|
+
it "not include head tags (like style)" do
|
|
15
|
+
skip "depends on nokogiri version"
|
|
14
16
|
html = Loofah.fragment "<style>foo</style><div>bar</div>"
|
|
15
17
|
assert_equal "bar", html.text
|
|
16
18
|
end
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
context "#to_text" do
|
|
20
|
-
|
|
22
|
+
it "add newlines before and after block elements" do
|
|
21
23
|
html = Loofah.fragment "<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
|
|
22
24
|
assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
|
|
23
25
|
end
|
|
24
26
|
|
|
25
|
-
|
|
27
|
+
it "remove extraneous whitespace" do
|
|
26
28
|
html = Loofah.fragment "<div>tweedle\n\n\t\n\s\nbeetle</div>"
|
|
27
29
|
assert_equal "\ntweedle\n\nbeetle\n", html.to_text
|
|
28
30
|
end
|
|
@@ -30,18 +32,18 @@ class TestHtml < Test::Unit::TestCase
|
|
|
30
32
|
end
|
|
31
33
|
|
|
32
34
|
context "html document" do
|
|
33
|
-
|
|
35
|
+
it "not include head tags (like style)" do
|
|
34
36
|
html = Loofah.document "<style>foo</style><div>bar</div>"
|
|
35
37
|
assert_equal "bar", html.text
|
|
36
38
|
end
|
|
37
39
|
|
|
38
40
|
context "#to_text" do
|
|
39
|
-
|
|
41
|
+
it "add newlines before and after block elements" do
|
|
40
42
|
html = Loofah.document "<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
|
|
41
43
|
assert_equal "\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
|
|
42
44
|
end
|
|
43
45
|
|
|
44
|
-
|
|
46
|
+
it "remove extraneous whitespace" do
|
|
45
47
|
html = Loofah.document "<div>tweedle\n\n\t\n\s\nbeetle</div>"
|
|
46
48
|
assert_equal "\ntweedle\n\nbeetle\n", html.to_text
|
|
47
49
|
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "helper"
|
|
2
2
|
|
|
3
|
-
class
|
|
3
|
+
class IntegrationTestScrubbers < Loofah::TestCase
|
|
4
4
|
|
|
5
5
|
INVALID_FRAGMENT = "<invalid>foo<p>bar</p>bazz</invalid><div>quux</div>"
|
|
6
6
|
INVALID_ESCAPED = "<invalid>foo<p>bar</p>bazz</invalid><div>quux</div>"
|
|
@@ -23,7 +23,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
23
23
|
context "Document" do
|
|
24
24
|
context "#scrub!" do
|
|
25
25
|
context ":escape" do
|
|
26
|
-
|
|
26
|
+
it "escape bad tags" do
|
|
27
27
|
doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
|
|
28
28
|
result = doc.scrub! :escape
|
|
29
29
|
|
|
@@ -33,7 +33,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
context ":prune" do
|
|
36
|
-
|
|
36
|
+
it "prune bad tags" do
|
|
37
37
|
doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
|
|
38
38
|
result = doc.scrub! :prune
|
|
39
39
|
|
|
@@ -43,7 +43,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
context ":strip" do
|
|
46
|
-
|
|
46
|
+
it "strip bad tags" do
|
|
47
47
|
doc = Loofah::HTML::Document.parse "<html><body>#{INVALID_FRAGMENT}</body></html>"
|
|
48
48
|
result = doc.scrub! :strip
|
|
49
49
|
|
|
@@ -53,7 +53,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
53
53
|
end
|
|
54
54
|
|
|
55
55
|
context ":whitewash" do
|
|
56
|
-
|
|
56
|
+
it "whitewash the markup" do
|
|
57
57
|
doc = Loofah::HTML::Document.parse "<html><body>#{WHITEWASH_FRAGMENT}</body></html>"
|
|
58
58
|
result = doc.scrub! :whitewash
|
|
59
59
|
|
|
@@ -63,7 +63,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
63
63
|
end
|
|
64
64
|
|
|
65
65
|
context ":nofollow" do
|
|
66
|
-
|
|
66
|
+
it "add a 'nofollow' attribute to hyperlinks" do
|
|
67
67
|
doc = Loofah::HTML::Document.parse "<html><body>#{NOFOLLOW_FRAGMENT}</body></html>"
|
|
68
68
|
result = doc.scrub! :nofollow
|
|
69
69
|
|
|
@@ -74,17 +74,17 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
74
74
|
end
|
|
75
75
|
|
|
76
76
|
context "#scrub_document" do
|
|
77
|
-
|
|
78
|
-
mock_doc =
|
|
79
|
-
Loofah.
|
|
80
|
-
mock_doc.
|
|
77
|
+
it "be a shortcut for parse-and-scrub" do
|
|
78
|
+
mock_doc = Object.new
|
|
79
|
+
mock(Loofah).document(:string_or_io) { mock_doc }
|
|
80
|
+
mock(mock_doc).scrub!(:method)
|
|
81
81
|
|
|
82
82
|
Loofah.scrub_document(:string_or_io, :method)
|
|
83
83
|
end
|
|
84
84
|
end
|
|
85
85
|
|
|
86
86
|
context "#text" do
|
|
87
|
-
|
|
87
|
+
it "leave behind only inner text with html entities still escaped" do
|
|
88
88
|
doc = Loofah::HTML::Document.parse "<html><body>#{ENTITY_HACK_ATTACK}</body></html>"
|
|
89
89
|
result = doc.text
|
|
90
90
|
|
|
@@ -92,7 +92,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
92
92
|
end
|
|
93
93
|
|
|
94
94
|
context "with encode_special_chars => false" do
|
|
95
|
-
|
|
95
|
+
it "leave behind only inner text with html entities unescaped" do
|
|
96
96
|
doc = Loofah::HTML::Document.parse "<html><body>#{ENTITY_HACK_ATTACK}</body></html>"
|
|
97
97
|
result = doc.text(:encode_special_chars => false)
|
|
98
98
|
|
|
@@ -101,7 +101,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
101
101
|
end
|
|
102
102
|
|
|
103
103
|
context "with encode_special_chars => true" do
|
|
104
|
-
|
|
104
|
+
it "leave behind only inner text with html entities still escaped" do
|
|
105
105
|
doc = Loofah::HTML::Document.parse "<html><body>#{ENTITY_HACK_ATTACK}</body></html>"
|
|
106
106
|
result = doc.text(:encode_special_chars => true)
|
|
107
107
|
|
|
@@ -111,38 +111,38 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
context "#to_s" do
|
|
114
|
-
|
|
114
|
+
it "generate HTML" do
|
|
115
115
|
doc = Loofah.scrub_document "<html><head><title>quux</title></head><body><div>foo</div></body></html>", :prune
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
116
|
+
refute_nil doc.xpath("/html").first
|
|
117
|
+
refute_nil doc.xpath("/html/head").first
|
|
118
|
+
refute_nil doc.xpath("/html/body").first
|
|
119
119
|
|
|
120
120
|
string = doc.to_s
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
121
|
+
assert_match %r/<!DOCTYPE/, string
|
|
122
|
+
assert_match %r/<html>/, string
|
|
123
|
+
assert_match %r/<head>/, string
|
|
124
|
+
assert_match %r/<body>/, string
|
|
125
125
|
end
|
|
126
126
|
end
|
|
127
127
|
|
|
128
128
|
context "#serialize" do
|
|
129
|
-
|
|
129
|
+
it "generate HTML" do
|
|
130
130
|
doc = Loofah.scrub_document "<html><head><title>quux</title></head><body><div>foo</div></body></html>", :prune
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
131
|
+
refute_nil doc.xpath("/html").first
|
|
132
|
+
refute_nil doc.xpath("/html/head").first
|
|
133
|
+
refute_nil doc.xpath("/html/body").first
|
|
134
134
|
|
|
135
135
|
string = doc.serialize
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
136
|
+
assert_match %r/<!DOCTYPE/, string
|
|
137
|
+
assert_match %r/<html>/, string
|
|
138
|
+
assert_match %r/<head>/, string
|
|
139
|
+
assert_match %r/<body>/, string
|
|
140
140
|
end
|
|
141
141
|
end
|
|
142
142
|
|
|
143
143
|
context "Node" do
|
|
144
144
|
context "#scrub!" do
|
|
145
|
-
|
|
145
|
+
it "only scrub subtree" do
|
|
146
146
|
xml = Loofah.document <<-EOHTML
|
|
147
147
|
<html><body>
|
|
148
148
|
<div class='scrub'>
|
|
@@ -155,15 +155,15 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
155
155
|
EOHTML
|
|
156
156
|
node = xml.at_css "div.scrub"
|
|
157
157
|
node.scrub!(:prune)
|
|
158
|
-
|
|
159
|
-
|
|
158
|
+
assert_match %r/I should remain/, xml.to_s
|
|
159
|
+
refute_match %r/I should be removed/, xml.to_s
|
|
160
160
|
end
|
|
161
161
|
end
|
|
162
162
|
end
|
|
163
163
|
|
|
164
164
|
context "NodeSet" do
|
|
165
165
|
context "#scrub!" do
|
|
166
|
-
|
|
166
|
+
it "only scrub subtrees" do
|
|
167
167
|
xml = Loofah.document <<-EOHTML
|
|
168
168
|
<html><body>
|
|
169
169
|
<div class='scrub'>
|
|
@@ -180,9 +180,9 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
180
180
|
node_set = xml.css "div.scrub"
|
|
181
181
|
assert_equal 2, node_set.length
|
|
182
182
|
node_set.scrub!(:prune)
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
183
|
+
assert_match %r/I should remain/, xml.to_s
|
|
184
|
+
refute_match %r/I should be removed/, xml.to_s
|
|
185
|
+
refute_match %r/I should also be removed/, xml.to_s
|
|
186
186
|
end
|
|
187
187
|
end
|
|
188
188
|
end
|
|
@@ -191,7 +191,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
191
191
|
context "DocumentFragment" do
|
|
192
192
|
context "#scrub!" do
|
|
193
193
|
context ":escape" do
|
|
194
|
-
|
|
194
|
+
it "escape bad tags" do
|
|
195
195
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
|
|
196
196
|
result = doc.scrub! :escape
|
|
197
197
|
|
|
@@ -201,7 +201,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
201
201
|
end
|
|
202
202
|
|
|
203
203
|
context ":prune" do
|
|
204
|
-
|
|
204
|
+
it "prune bad tags" do
|
|
205
205
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
|
|
206
206
|
result = doc.scrub! :prune
|
|
207
207
|
|
|
@@ -211,7 +211,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
211
211
|
end
|
|
212
212
|
|
|
213
213
|
context ":strip" do
|
|
214
|
-
|
|
214
|
+
it "strip bad tags" do
|
|
215
215
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{INVALID_FRAGMENT}</div>"
|
|
216
216
|
result = doc.scrub! :strip
|
|
217
217
|
|
|
@@ -221,7 +221,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
221
221
|
end
|
|
222
222
|
|
|
223
223
|
context ":whitewash" do
|
|
224
|
-
|
|
224
|
+
it "whitewash the markup" do
|
|
225
225
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{WHITEWASH_FRAGMENT}</div>"
|
|
226
226
|
result = doc.scrub! :whitewash
|
|
227
227
|
|
|
@@ -231,7 +231,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
231
231
|
end
|
|
232
232
|
|
|
233
233
|
context ":nofollow" do
|
|
234
|
-
|
|
234
|
+
it "add a 'nofollow' attribute to hyperlinks" do
|
|
235
235
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{NOFOLLOW_FRAGMENT}</div>"
|
|
236
236
|
result = doc.scrub! :nofollow
|
|
237
237
|
|
|
@@ -242,17 +242,17 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
242
242
|
end
|
|
243
243
|
|
|
244
244
|
context "#scrub_fragment" do
|
|
245
|
-
|
|
246
|
-
mock_doc =
|
|
247
|
-
Loofah.
|
|
248
|
-
mock_doc.
|
|
245
|
+
it "be a shortcut for parse-and-scrub" do
|
|
246
|
+
mock_doc = Object.new
|
|
247
|
+
mock(Loofah).fragment(:string_or_io) { mock_doc }
|
|
248
|
+
mock(mock_doc).scrub!(:method)
|
|
249
249
|
|
|
250
250
|
Loofah.scrub_fragment(:string_or_io, :method)
|
|
251
251
|
end
|
|
252
252
|
end
|
|
253
253
|
|
|
254
254
|
context "#text" do
|
|
255
|
-
|
|
255
|
+
it "leave behind only inner text with html entities still escaped" do
|
|
256
256
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{ENTITY_HACK_ATTACK}</div>"
|
|
257
257
|
result = doc.text
|
|
258
258
|
|
|
@@ -260,7 +260,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
260
260
|
end
|
|
261
261
|
|
|
262
262
|
context "with encode_special_chars => false" do
|
|
263
|
-
|
|
263
|
+
it "leave behind only inner text with html entities unescaped" do
|
|
264
264
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{ENTITY_HACK_ATTACK}</div>"
|
|
265
265
|
result = doc.text(:encode_special_chars => false)
|
|
266
266
|
|
|
@@ -269,7 +269,7 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
269
269
|
end
|
|
270
270
|
|
|
271
271
|
context "with encode_special_chars => true" do
|
|
272
|
-
|
|
272
|
+
it "leave behind only inner text with html entities still escaped" do
|
|
273
273
|
doc = Loofah::HTML::DocumentFragment.parse "<div>#{ENTITY_HACK_ATTACK}</div>"
|
|
274
274
|
result = doc.text(:encode_special_chars => true)
|
|
275
275
|
|
|
@@ -279,15 +279,15 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
279
279
|
end
|
|
280
280
|
|
|
281
281
|
context "#to_s" do
|
|
282
|
-
|
|
282
|
+
it "not remove entities" do
|
|
283
283
|
string = Loofah.scrub_fragment(ENTITY_FRAGMENT, :prune).to_s
|
|
284
|
-
|
|
284
|
+
assert_match %r/this is </, string
|
|
285
285
|
end
|
|
286
286
|
end
|
|
287
287
|
|
|
288
288
|
context "Node" do
|
|
289
289
|
context "#scrub!" do
|
|
290
|
-
|
|
290
|
+
it "only scrub subtree" do
|
|
291
291
|
xml = Loofah.fragment <<-EOHTML
|
|
292
292
|
<div class='scrub'>
|
|
293
293
|
<script>I should be removed</script>
|
|
@@ -298,15 +298,15 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
298
298
|
EOHTML
|
|
299
299
|
node = xml.at_css "div.scrub"
|
|
300
300
|
node.scrub!(:prune)
|
|
301
|
-
|
|
302
|
-
|
|
301
|
+
assert_match %r(I should remain), xml.to_s
|
|
302
|
+
refute_match %r(I should be removed), xml.to_s
|
|
303
303
|
end
|
|
304
304
|
end
|
|
305
305
|
end
|
|
306
306
|
|
|
307
307
|
context "NodeSet" do
|
|
308
308
|
context "#scrub!" do
|
|
309
|
-
|
|
309
|
+
it "only scrub subtrees" do
|
|
310
310
|
xml = Loofah.fragment <<-EOHTML
|
|
311
311
|
<div class='scrub'>
|
|
312
312
|
<script>I should be removed</script>
|
|
@@ -321,9 +321,9 @@ class TestScrubbers < Test::Unit::TestCase
|
|
|
321
321
|
node_set = xml.css "div.scrub"
|
|
322
322
|
assert_equal 2, node_set.length
|
|
323
323
|
node_set.scrub!(:prune)
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
324
|
+
assert_match %r/I should remain/, xml.to_s
|
|
325
|
+
refute_match %r/I should be removed/, xml.to_s
|
|
326
|
+
refute_match %r/I should also be removed/, xml.to_s
|
|
327
327
|
end
|
|
328
328
|
end
|
|
329
329
|
end
|