loofah 1.0.0 → 2.19.1

data/lib/loofah/html5/whitelist.rb

@@ -1,168 +0,0 @@
-module Loofah
-  module HTML5 # :nodoc:
-    #
-    #  HTML whitelist lifted from HTML5lib sanitizer code:
-    #
-    #    http://code.google.com/p/html5lib/
-    #
-    # <html5_license>
-    #
-    #   Copyright (c) 2006-2008 The Authors
-    #
-    #   Contributors:
-    #   James Graham - jg307@cam.ac.uk
-    #   Anne van Kesteren - annevankesteren@gmail.com
-    #   Lachlan Hunt - lachlan.hunt@lachy.id.au
-    #   Matt McDonald - kanashii@kanashii.ca
-    #   Sam Ruby - rubys@intertwingly.net
-    #   Ian Hickson (Google) - ian@hixie.ch
-    #   Thomas Broyer - t.broyer@ltgt.net
-    #   Jacques Distler - distler@golem.ph.utexas.edu
-    #   Henri Sivonen - hsivonen@iki.fi
-    #   The Mozilla Foundation (contributions from Henri Sivonen since 2008)
-    #
-    #   Permission is hereby granted, free of charge, to any person
-    #   obtaining a copy of this software and associated documentation
-    #   files (the "Software"), to deal in the Software without
-    #   restriction, including without limitation the rights to use, copy,
-    #   modify, merge, publish, distribute, sublicense, and/or sell copies
-    #   of the Software, and to permit persons to whom the Software is
-    #   furnished to do so, subject to the following conditions:
-    #
-    #   The above copyright notice and this permission notice shall be
-    #   included in all copies or substantial portions of the Software.
-    #
-    #   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-    #   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-    #   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-    #   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-    #   HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-    #   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    #   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    #   DEALINGS IN THE SOFTWARE.
-    #
-    # </html5_license>
-    module WhiteList
-      ACCEPTABLE_ELEMENTS = %w[a abbr acronym address area b big blockquote br
-      button caption center cite code col colgroup dd del dfn dir div dl dt
-      em fieldset font form h1 h2 h3 h4 h5 h6 hr i img input ins kbd label
-      legend li map menu ol optgroup option p pre q s samp select small span
-      strike strong sub sup table tbody td textarea tfoot th thead tr tt u
-      ul var]
-
-      MATHML_ELEMENTS = %w[annotation annotation-xml maction math merror mfrac
-      mfenced mi mmultiscripts mn mo mover mpadded mphantom mprescripts mroot mrow
-      mspace msqrt mstyle msub msubsup msup mtable mtd mtext mtr munder
-      munderover none semantics]
-
-      SVG_ELEMENTS = %w[a animate animateColor animateMotion animateTransform
-      circle defs desc ellipse font-face font-face-name font-face-src foreignObject
-      g glyph hkern linearGradient line marker metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch
-      text title tspan use]
-
-      ACCEPTABLE_ATTRIBUTES = %w[abbr accept accept-charset accesskey action
-      align alt axis border cellpadding cellspacing char charoff charset
-      checked cite class clear cols colspan color compact coords datetime
-      dir disabled enctype for frame headers height href hreflang hspace id
-      ismap label lang longdesc maxlength media method multiple name nohref
-      noshade nowrap prompt readonly rel rev rows rowspan rules scope
-      selected shape size span src start style summary tabindex target title
-      type usemap valign value vspace width xml:lang]
-
-      MATHML_ATTRIBUTES = %w[actiontype align close columnalign columnalign
-      columnalign columnlines columnspacing columnspan depth display
-      displaystyle encoding equalcolumns equalrows fence fontstyle fontweight
-      frame height linethickness lspace mathbackground mathcolor mathvariant
-      mathvariant maxsize minsize open other rowalign rowalign rowalign rowlines
-      rowspacing rowspan rspace scriptlevel selection separator separators
-      stretchy width width xlink:href xlink:show xlink:type xmlns xmlns:xlink]
-
-      SVG_ATTRIBUTES = %w[accent-height accumulate additive alphabetic
-       arabic-form ascent attributeName attributeType baseProfile bbox begin
-       by calcMode cap-height class color color-rendering content cx cy d dx
-       dy descent display dur end fill fill-opacity fill-rule font-family
-       font-size font-stretch font-style font-variant font-weight from fx fy g1
-       g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
-       ideographic k keyPoints keySplines keyTimes lang marker-end
-       marker-mid marker-start markerHeight markerUnits markerWidth
-       mathematical max min name offset opacity orient origin
-       overline-position overline-thickness panose-1 path pathLength points
-       preserveAspectRatio r refX refY repeatCount repeatDur
-       requiredExtensions requiredFeatures restart rotate rx ry slope stemh
-       stemv stop-color stop-opacity strikethrough-position
-       strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
-       stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
-       stroke-width systemLanguage target text-anchor to transform type u1
-       u2 underline-position underline-thickness unicode unicode-range
-       units-per-em values version viewBox visibility width widths x
-       x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
-       xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
-       xmlns:xlink y y1 y2 zoomAndPan]
-
-      ATTR_VAL_IS_URI = %w[href src cite action longdesc xlink:href xml:base]
-
-      SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path color-profile cursor fill
-      filter marker marker-start marker-mid marker-end mask stroke]
-
-      SVG_ALLOW_LOCAL_HREF = %w[altGlyph animate animateColor animateMotion
-      animateTransform cursor feImage filter linearGradient pattern
-      radialGradient textpath tref set use]
-
-      ACCEPTABLE_CSS_PROPERTIES = %w[azimuth background-color
-      border-bottom-color border-collapse border-color border-left-color
-      border-right-color border-top-color clear color cursor direction
-      display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height overflow
-      pause pause-after pause-before pitch pitch-range richness speak
-      speak-header speak-numeral speak-punctuation speech-rate stress
-      text-align text-decoration text-indent unicode-bidi vertical-align
-      voice-family volume white-space width]
-
-      ACCEPTABLE_CSS_KEYWORDS = %w[auto aqua black block blue bold both bottom
-      brown center collapse dashed dotted fuchsia gray green !important
-      italic left lime maroon medium none navy normal nowrap olive pointer
-      purple red right solid silver teal top transparent underline white
-      yellow]
-
-      ACCEPTABLE_SVG_PROPERTIES = %w[fill fill-opacity fill-rule stroke
-      stroke-width stroke-linecap stroke-linejoin stroke-opacity]
-
-      ACCEPTABLE_PROTOCOLS = %w[ed2k ftp http https irc mailto news gopher nntp
-      telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs]
-
-      # subclasses may define their own versions of these constants
-      ALLOWED_ELEMENTS = ACCEPTABLE_ELEMENTS + MATHML_ELEMENTS + SVG_ELEMENTS
-      ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + SVG_ATTRIBUTES
-      ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
-      ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
-      ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
-      ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
-
-      VOID_ELEMENTS = %w[
-        base
-        link
-        meta
-        hr
-        br
-        img
-        embed
-        param
-        area
-        col
-        input
-      ]
-
-      # additional tags we should consider safe since we have libxml2 fixing up our documents.
-      TAGS_SAFE_WITH_LIBXML2 = %w[html head body]
-      ALLOWED_ELEMENTS_WITH_LIBXML2 = ALLOWED_ELEMENTS + TAGS_SAFE_WITH_LIBXML2
-    end      
-
-    #
-    #  The HTML5lib whitelist arrays, transformed into hashes for faster lookup.
-    #
-    module HashedWhiteList
-      include Loofah::MetaHelpers::HashifiedConstants(WhiteList)
-    end
-  end
-end

data/test/helper.rb

@@ -1,7 +0,0 @@
-require 'rubygems'
-require 'test/unit'
-require 'shoulda'
-require 'mocha'
-require File.expand_path(File.join(File.dirname(__FILE__), "..", "lib", "loofah"))
-
-puts "=> testing with Nokogiri #{Nokogiri::VERSION_INFO.inspect}"

data/test/html5/test_sanitizer.rb

@@ -1,248 +0,0 @@
-#
-#  these tests taken from the HTML5 sanitization project and modified for use with Loofah
-#  see the original here: http://code.google.com/p/html5lib/source/browse/ruby/test/test_sanitizer.rb
-#
-#  license text at the bottom of this file
-#
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'helper'))
-require 'json'
-
-class Html5TestSanitizer < Test::Unit::TestCase
-  include Loofah
-
-  def sanitize_xhtml stream
-    Loofah.fragment(stream).scrub!(:escape).to_xhtml
-  end
-
-  def sanitize_html stream
-    Loofah.fragment(stream).scrub!(:escape).to_html
-  end
-
-  def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
-    ##  libxml uses double-quotes, so let's swappo-boppo our quotes before comparing.
-    sane = sanitize_html(input).gsub('"',"'")
-
-    ##  HTML5's parsers are shit. there's so much inconsistency with what has closing tags, etc, that
-    ##  it would require a lot of manual hacking to make the tests match libxml's output.
-    ##  instead, I'm taking the shotgun approach, and trying to match any of the described outputs.
-    assert((htmloutput == sane) || (rexmloutput == sane) || (xhtmloutput == sane), input)
-  end
-
-  (HTML5::WhiteList::ALLOWED_ELEMENTS).each do |tag_name|
-    define_method "test_should_allow_#{tag_name}_tag" do
-      input       = "<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>"
-      htmloutput  = "<#{tag_name.downcase} title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name.downcase}>"
-      xhtmloutput = "<#{tag_name} title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</#{tag_name}>"
-      rexmloutput = xhtmloutput
-
-      if %w[caption colgroup optgroup option tbody td tfoot th thead tr].include?(tag_name)
-        htmloutput = "foo &lt;bad&gt;bar&lt;/bad&gt; baz"
-        xhtmloutput = htmloutput
-      elsif tag_name == 'col'
-        htmloutput = "<col title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz"
-        xhtmloutput = htmloutput
-        rexmloutput = "<col title='1' />"
-      elsif tag_name == 'table'
-        htmloutput = "foo &lt;bad&gt;bar&lt;/bad&gt;baz<table title='1'> </table>"
-        xhtmloutput = htmloutput
-      elsif tag_name == 'image'
-        htmloutput = "<img title='1'/>foo &lt;bad&gt;bar&lt;/bad&gt; baz"
-        xhtmloutput = htmloutput
-        rexmloutput = "<image title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</image>"
-      elsif HTML5::WhiteList::VOID_ELEMENTS.include?(tag_name)
-        htmloutput = "<#{tag_name} title='1'>foo &lt;bad&gt;bar&lt;/bad&gt; baz"
-        xhtmloutput = htmloutput
-        htmloutput += '<br/>' if tag_name == 'br'
-        rexmloutput =  "<#{tag_name} title='1' />"
-      end
-      check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
-    end
-  end
-
-  ##
-  ##  libxml2 downcases elements, so this is moot.
-  ##
-  # HTML5::WhiteList::ALLOWED_ELEMENTS.each do |tag_name|
-  #   define_method "test_should_forbid_#{tag_name.upcase}_tag" do
-  #     input = "<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>"
-  #     output = "&lt;#{tag_name.upcase} title=\"1\"&gt;foo &lt;bad&gt;bar&lt;/bad&gt; baz&lt;/#{tag_name.upcase}&gt;"
-  #     check_sanitization(input, output, output, output)
-  #   end
-  # end
-
-  HTML5::WhiteList::ALLOWED_ATTRIBUTES.each do |attribute_name|
-    next if attribute_name == 'style'
-    define_method "test_should_allow_#{attribute_name}_attribute" do
-        input = "<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>"
-      if %w[checked compact disabled ismap multiple nohref noshade nowrap readonly selected].include?(attribute_name)
-        output = "<p #{attribute_name}>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-        htmloutput = "<p #{attribute_name.downcase}>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-      else
-        output = "<p #{attribute_name}='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-        htmloutput = "<p #{attribute_name.downcase}='foo'>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-      end
-      check_sanitization(input, htmloutput, output, output)
-    end
-  end
-
-  ##
-  ##  libxml2 downcases attributes, so this is moot.
-  ##
-  # HTML5::WhiteList::ALLOWED_ATTRIBUTES.each do |attribute_name|
-  #   define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do
-  #     input = "<p #{attribute_name.upcase}='display: none;'>foo <bad>bar</bad> baz</p>"
-  #     output =  "<p>foo &lt;bad&gt;bar&lt;/bad&gt; baz</p>"
-  #     check_sanitization(input, output, output, output)
-  #   end
-  # end
-
-  HTML5::WhiteList::ALLOWED_PROTOCOLS.each do |protocol|
-    define_method "test_should_allow_#{protocol}_uris" do
-      input = %(<a href="#{protocol}">foo</a>)
-      output = "<a href='#{protocol}'>foo</a>"
-      check_sanitization(input, output, output, output)
-    end
-  end
-
-  HTML5::WhiteList::ALLOWED_PROTOCOLS.each do |protocol|
-    define_method "test_should_allow_uppercase_#{protocol}_uris" do
-      input = %(<a href="#{protocol.upcase}">foo</a>)
-      output = "<a href='#{protocol.upcase}'>foo</a>"
-      check_sanitization(input, output, output, output)
-    end
-  end
-
-  HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
-    next unless HTML5::WhiteList::ALLOWED_ELEMENTS.include?(tag_name)
-    define_method "test_#{tag_name}_should_allow_local_href" do
-      input = %(<#{tag_name} xlink:href="#foo"/>)
-      output = "<#{tag_name.downcase} xlink:href='#foo'></#{tag_name.downcase}>"
-      xhtmloutput = "<#{tag_name} xlink:href='#foo'></#{tag_name}>"
-      check_sanitization(input, output, xhtmloutput, xhtmloutput)
-    end
-
-    define_method "test_#{tag_name}_should_allow_local_href_with_newline" do
-      input = %(<#{tag_name} xlink:href="\n#foo"/>)
-      output = "<#{tag_name.downcase} xlink:href='\n#foo'></#{tag_name.downcase}>"
-      xhtmloutput = "<#{tag_name} xlink:href='\n#foo'></#{tag_name}>"
-      check_sanitization(input, output, xhtmloutput, xhtmloutput)
-    end
-
-    define_method "test_#{tag_name}_should_forbid_nonlocal_href" do
-      input = %(<#{tag_name} xlink:href="http://bad.com/foo"/>)
-      output = "<#{tag_name.downcase}></#{tag_name.downcase}>"
-      xhtmloutput = "<#{tag_name}></#{tag_name}>"
-      check_sanitization(input, output, xhtmloutput, xhtmloutput)
-    end
-
-    define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline" do
-      input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo"/>)
-      output = "<#{tag_name.downcase}></#{tag_name.downcase}>"
-      xhtmloutput = "<#{tag_name}></#{tag_name}>"
-      check_sanitization(input, output, xhtmloutput, xhtmloutput)
-    end
-  end
-
-  ##
-  ##  as tenderlove says, "care < 0"
-  ##
-  # def test_should_handle_astral_plane_characters
-  #   input = "<p>&#x1d4b5; &#x1d538;</p>"
-  #   output = "<p>\360\235\222\265 \360\235\224\270</p>"
-  #   check_sanitization(input, output, output, output)
-
-  #   input = "<p><tspan>\360\235\224\270</tspan> a</p>"
-  #   output = "<p><tspan>\360\235\224\270</tspan> a</p>"
-  #   check_sanitization(input, output, output, output)
-  # end
-
-# This affects only NS4. Is it worth fixing?
-#  def test_javascript_includes
-#    input = %(<div size="&{alert('XSS')}">foo</div>)
-#    output = "<div>foo</div>"    
-#    check_sanitization(input, output, output, output)
-#  end
-
-  ##
-  ##  these tests primarily test the parser logic, not the sanitizer
-  ##  logic. i call bullshit. we're not writing a test suite for
-  ##  libxml2 here, so let's rely on the unit tests above to take care
-  ##  of our valid elements and attributes.
-  ##
-  # Dir[File.join(File.dirname(__FILE__), 'testdata', '*.*')].each do |filename|
-  #   JSON::parse(open(filename).read).each do |test|
-  #     define_method "test_#{test['name']}" do
-  #       check_sanitization(
-  #         test['input'],
-  #         test['output'],
-  #         test['xhtml'] || test['output'],
-  #         test['rexml'] || test['output']
-  #       )
-  #     end
-  #   end
-  # end
-
-  ## added because we don't have any coverage above on SVG_ATTR_VAL_ALLOWS_REF
-  HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|  
-    define_method "test_should_allow_uri_refs_in_svg_attribute_#{attr_name}" do
-      input = "<rect fill='url(#foo)' />"
-      output = "<rect fill='url(#foo)'></rect>"
-      check_sanitization(input, output, output, output)
-    end
-
-    define_method "test_absolute_uri_refs_in_svg_attribute_#{attr_name}" do
-      input = "<rect fill='url(http://bad.com/) #fff' />"
-      output = "<rect fill='  #fff'></rect>"
-      check_sanitization(input, output, output, output)
-    end
-
-    define_method "test_uri_ref_with_space_in_svg_attribute_#{attr_name}" do
-      input = "<rect fill='url(\n#foo)' />"
-      rexml = "<rect fill='url(\n#foo)'></rect>"
-    end
-
-    define_method "test_absolute_uri_ref_with_space_in_svg_attribute_#{attr_name}" do
-      input = "<rect fill=\"url(\nhttp://bad.com/)\" />"
-      rexml = "<rect fill=' '></rect>"
-    end
-  end
-
-end
-
-# <html5_license>
-#
-# Copyright (c) 2006-2008 The Authors
-#
-# Contributors:
-# James Graham - jg307@cam.ac.uk
-# Anne van Kesteren - annevankesteren@gmail.com
-# Lachlan Hunt - lachlan.hunt@lachy.id.au
-# Matt McDonald - kanashii@kanashii.ca
-# Sam Ruby - rubys@intertwingly.net
-# Ian Hickson (Google) - ian@hixie.ch
-# Thomas Broyer - t.broyer@ltgt.net
-# Jacques Distler - distler@golem.ph.utexas.edu
-# Henri Sivonen - hsivonen@iki.fi
-# The Mozilla Foundation (contributions from Henri Sivonen since 2008)
-#
-# Permission is hereby granted, free of charge, to any person
-# obtaining a copy of this software and associated documentation files
-# (the "Software"), to deal in the Software without restriction,
-# including without limitation the rights to use, copy, modify, merge,
-# publish, distribute, sublicense, and/or sell copies of the Software,
-# and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
-# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
-# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#
-# </html5_license>

data/test/integration/test_ad_hoc.rb

@@ -1,176 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'helper'))
-
-class TestAdHoc < Test::Unit::TestCase
-
-  context "blank input string" do
-    context "fragment" do
-      should "return a blank string" do
-        assert_equal "", Loofah.scrub_fragment("", :prune).to_s
-      end
-    end
-
-    context "document" do
-      should "return a blank string" do
-        assert_equal "", Loofah.scrub_document("", :prune).root.to_s
-      end
-    end
-  end
-
-  def test_removal_of_illegal_tag
-    html = <<-HTML
-      following this there should be no jim tag
-      <jim>jim</jim>
-      was there?
-    HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert sane.xpath("//jim").empty?
-  end
-
-  def test_removal_of_illegal_attribute
-    html = "<p class=bar foo=bar abbr=bar />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    node = sane.xpath("//p").first
-    assert node.attributes['class']
-    assert node.attributes['abbr']
-    assert_nil node.attributes['foo']
-  end
-
-  def test_removal_of_illegal_url_in_href
-    html = <<-HTML
-      <a href='jimbo://jim.jim/'>this link should have its href removed because of illegal url</a>
-      <a href='http://jim.jim/'>this link should be fine</a>
-    HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    nodes = sane.xpath("//a")
-    assert_nil nodes.first.attributes['href']
-    assert nodes.last.attributes['href']
-  end
-
-  def test_css_sanitization
-    html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert_match(/#000/, sane.inner_html)
-    assert_no_match(/foo\.com/, sane.inner_html)
-  end
-
-  def test_fragment_with_no_tags
-    assert_equal "This fragment has no tags.", Loofah.scrub_fragment("This fragment has no tags.", :escape).to_xml
-  end
-
-  def test_fragment_in_p_tag
-    assert_equal "<p>This fragment is in a p.</p>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>", :escape).to_xml
-  end
-
-  def test_fragment_in_p_tag_plus_stuff
-    assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", Loofah.scrub_fragment("<p>This fragment is in a p.</p>foo<strong>bar</strong>", :escape).to_xml
-  end
-
-  def test_fragment_with_text_nodes_leading_and_trailing
-    assert_equal "text<p>fragment</p>text", Loofah.scrub_fragment("text<p>fragment</p>text", :escape).to_xml
-  end
-
-  def test_whitewash_on_fragment
-    html = "safe<frameset rows=\"*\"><frame src=\"http://example.com\"></frameset> <b>description</b>"
-    whitewashed = Loofah.scrub_document(html, :whitewash).xpath("/html/body/*").to_s
-    assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
-  end
-
-  MSWORD_HTML = <<-EOHTML
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>
-  EOHTML
-
-  def test_fragment_whitewash_on_microsofty_markup
-    whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
-    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s
-  end
-
-  def test_document_whitewash_on_microsofty_markup
-    whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
-    assert_contains whitewashed.to_s, %r(<p>Foo <b>BOLD</b></p>)
-    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.xpath("/html/body/*").to_s
-  end
-
-  def test_return_empty_string_when_nothing_left
-    assert_equal "", Loofah.scrub_document('<script>test</script>', :prune).text
-  end
-
-  def test_removal_of_all_tags
-    html = <<-HTML
-      What's up <strong>doc</strong>?
-    HTML
-    stripped = Loofah.scrub_document(html, :prune).text
-    assert_equal %Q(What\'s up doc?).strip, stripped.strip
-  end
-
-  def test_dont_remove_whitespace
-    html = "Foo\nBar"
-    assert_equal html, Loofah.scrub_document(html, :prune).text
-  end
-
-  def test_dont_remove_whitespace_between_tags
-    html = "<p>Foo</p>\n<p>Bar</p>"
-    assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
-  end
-end

data/test/integration/test_helpers.rb

@@ -1,33 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'helper'))
-
-class TestHelpers < Test::Unit::TestCase
-  context "#strip_tags" do
-    context "on safe markup" do
-      should "strip out tags" do
-        assert_equal "omgwtfbbq!!1!", Loofah::Helpers.strip_tags("<div>omgwtfbbq</div><span>!!1!</span>")
-      end
-    end
-
-    context "on hack attack" do
-      should "strip escape html entities" do
-        bad_shit = "&lt;script&gt;alert('evil')&lt;/script&gt;"
-        assert_equal bad_shit, Loofah::Helpers.strip_tags(bad_shit)
-      end
-    end
-  end
-
-  context "#sanitize" do
-    context "on safe markup" do
-      should "render the safe html" do
-        html = "<div>omgwtfbbq</div><span>!!1!</span>"
-        assert_equal html, Loofah::Helpers.sanitize(html)
-      end
-    end
-
-    context "on hack attack" do
-      should "strip the unsafe tags" do
-        assert_equal "alert('evil')<span>w00t</span>", Loofah::Helpers.sanitize("<script>alert('evil')</script><span>w00t</span>")
-      end
-    end
-  end
-end