sanitize 2.1.1 → 3.0.0

data/lib/sanitize/version.rb

@@ -1,3 +1,5 @@
+# encoding: utf-8
+
 class Sanitize
-  VERSION = '2.1.1'
+  VERSION = '3.0.0'
 end

data/test/common.rb

@@ -0,0 +1,34 @@
+# encoding: utf-8
+gem 'minitest'
+require 'minitest/autorun'
+
+require_relative '../lib/sanitize'
+
+# Helper to stub an instance method. Shamelessly stolen from
+# https://github.com/codeodor/minitest-stub_any_instance/
+class Object
+  def self.stub_instance(name, value, &block)
+    old_method = "__stubbed_method_#{name}__"
+
+    class_eval do
+      alias_method old_method, name
+
+      define_method(name) do |*args|
+        if value.respond_to?(:call) then
+          value.call(*args)
+        else
+          value
+        end
+      end
+    end
+
+    yield
+
+  ensure
+    class_eval do
+      undef_method name
+      alias_method name, old_method
+      undef_method old_method
+    end
+  end
+end

data/test/test_clean_comment.rb

@@ -0,0 +1,51 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::Transformers::CleanComment' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  describe 'when :allow_comments is false' do
+    before do
+      @s = Sanitize.new(:allow_comments => false, :elements => ['div'])
+    end
+
+    it 'should remove comments' do
+      @s.fragment('foo <!-- comment --> bar').must_equal 'foo  bar'
+      @s.fragment('foo <!-- ').must_equal 'foo '
+      @s.fragment('foo <!-- - -> bar').must_equal 'foo '
+      @s.fragment("foo <!--\n\n\n\n-->bar").must_equal 'foo bar'
+      @s.fragment("foo <!-- <!-- <!-- --> --> -->bar").must_equal 'foo  --&gt; --&gt;bar'
+      @s.fragment("foo <div <!-- comment -->>bar</div>").must_equal 'foo <div>&gt;bar</div>'
+
+      # Special case: the comment markup is inside a <script>, which makes it
+      # text content and not an actual HTML comment.
+      @s.fragment("<script><!-- comment --></script>").must_equal '&lt;!-- comment --&gt;'
+
+      Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => false, :elements => ['script'])
+        .must_equal '<script><!-- comment --></script>'
+    end
+  end
+
+  describe 'when :allow_comments is true' do
+    before do
+      @s = Sanitize.new(:allow_comments => true, :elements => ['div'])
+    end
+
+    it 'should allow comments' do
+      @s.fragment('foo <!-- comment --> bar').must_equal 'foo <!-- comment --> bar'
+      @s.fragment('foo <!-- ').must_equal 'foo <!-- -->'
+      @s.fragment('foo <!-- - -> bar').must_equal 'foo <!-- - -> bar-->'
+      @s.fragment("foo <!--\n\n\n\n-->bar").must_equal "foo <!--\n\n\n\n-->bar"
+      @s.fragment("foo <!-- <!-- <!-- --> --> -->bar").must_equal 'foo <!-- <!-- <!-- --> --&gt; --&gt;bar'
+      @s.fragment("foo <div <!-- comment -->>bar</div>").must_equal 'foo <div>&gt;bar</div>'
+
+      # Special case: the comment markup is inside a <script>, which makes it
+      # text content and not an actual HTML comment.
+      @s.fragment("<script><!-- comment --></script>").must_equal '&lt;!-- comment --&gt;'
+
+      Sanitize.fragment("<script><!-- comment --></script>", :allow_comments => true, :elements => ['script'])
+        .must_equal '<script><!-- comment --></script>'
+    end
+  end
+end

data/test/test_clean_css.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::Transformers::CSS::CleanAttribute' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  before do
+    @s = Sanitize.new(Sanitize::Config::RELAXED)
+  end
+
+  it 'should sanitize CSS properties in style attributes' do
+    @s.fragment(%[
+      <div style="color: #fff; width: expression(alert(1)); /* <-- evil! */"></div>
+    ].strip).must_equal %[
+      <div style="color: #fff;  /* &lt;-- evil! */"></div>
+    ].strip
+  end
+
+  it 'should remove the style attribute if the sanitized CSS is empty' do
+    @s.fragment('<div style="width: expression(alert(1))"></div>').
+      must_equal '<div></div>'
+  end
+end
+
+describe 'Sanitize::Transformers::CSS::CleanElement' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  before do
+    @s = Sanitize.new(Sanitize::Config::RELAXED)
+  end
+
+  it 'should sanitize CSS stylesheets in <style> elements' do
+    html = %[
+      <style>@import url(evil.css);
+      /* Yay CSS! */
+      .foo { color: #fff; }
+      #bar { background: url(yay.jpg); bogus: wtf; }
+      .evil { width: expression(xss()); }
+
+      @media screen (max-width:480px) {
+        .foo { width: 400px; }
+        #bar:not(.baz) { height: 100px; }
+      }
+      </style>
+    ].strip
+
+    @s.fragment(html).must_equal %[
+      <style>
+      /* Yay CSS! */
+      .foo { color: #fff; }
+      #bar { background: url(yay.jpg);  }
+      .evil {  }
+
+      @media screen (max-width:480px) {
+        .foo { width: 400px; }
+        #bar:not(.baz) { height: 100px; }
+      }
+      </style>
+    ].strip
+  end
+
+  it 'should remove the <style> element if the sanitized CSS is empty' do
+  end
+end

data/test/test_clean_doctype.rb

@@ -0,0 +1,71 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::Transformers::CleanDoctype' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  describe 'when :allow_doctype is false' do
+    before do
+      @s = Sanitize.new(:allow_doctype => false, :elements => ['html'])
+    end
+
+    it 'should remove doctype declarations' do
+      @s.document('<!DOCTYPE html><html>foo</html>').must_equal "<html>foo</html>\n"
+      @s.fragment('<!DOCTYPE html>foo').must_equal 'foo'
+    end
+
+    it 'should not allow doctype definitions in fragments' do
+      @s.fragment('<!DOCTYPE html><html>foo</html>')
+        .must_equal "foo"
+
+      @s.fragment('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>')
+        .must_equal "foo"
+
+      @s.fragment("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n    \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html>foo</html>")
+        .must_equal "foo"
+    end
+  end
+
+  describe 'when :allow_doctype is true' do
+    before do
+      @s = Sanitize.new(:allow_doctype => true, :elements => ['html'])
+    end
+
+    it 'should allow doctype declarations in documents' do
+      @s.document('<!DOCTYPE html><html>foo</html>')
+        .must_equal "<!DOCTYPE html>\n<html>foo</html>\n"
+
+      @s.document('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>')
+        .must_equal "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\">\n<html>foo</html>\n"
+
+      @s.document("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n    \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html>foo</html>")
+        .must_equal "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html>foo</html>\n"
+    end
+
+    it 'should not allow obviously invalid doctype declarations in documents' do
+      @s.document('<!DOCTYPE blah blah blah><html>foo</html>')
+        .must_equal "<!DOCTYPE html>\n<html>foo</html>\n"
+
+      @s.document('<!DOCTYPE blah><html>foo</html>')
+        .must_equal "<!DOCTYPE html>\n<html>foo</html>\n"
+
+      @s.document('<!DOCTYPE html BLAH "-//W3C//DTD HTML 4.01//EN"><html>foo</html>')
+        .must_equal "<!DOCTYPE html>\n<html>foo</html>\n"
+
+      @s.document('<!whatever><html>foo</html>')
+        .must_equal "<html>foo</html>\n"
+    end
+
+    it 'should not allow doctype definitions in fragments' do
+      @s.fragment('<!DOCTYPE html><html>foo</html>')
+        .must_equal "foo"
+
+      @s.fragment('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html>foo</html>')
+        .must_equal "foo"
+
+      @s.fragment("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n    \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html>foo</html>")
+        .must_equal "foo"
+    end
+  end
+end

data/test/test_clean_element.rb

@@ -0,0 +1,399 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::Transformers::CleanElement' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  strings = {
+    :basic => {
+      :html       => '<b>Lo<!-- comment -->rem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <style>.foo { color: #fff; }</style> <script>alert("hello world");</script>',
+
+      :default    => 'Lorem ipsum dolor sit amet .foo { color: #fff; } alert("hello world");',
+      :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet .foo { color: #fff; } alert("hello world");',
+      :basic      => '<b>Lorem</b> <a href="pants" rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet .foo { color: #fff; } alert("hello world");',
+      :relaxed    => '<b>Lorem</b> <a href="pants" title="foo" style="text-decoration: underline;">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet <style>.foo { color: #fff; }</style> alert("hello world");'
+    },
+
+    :malformed => {
+      :html       => 'Lo<!-- comment -->rem</b> <a href=pants title="foo>ipsum <a href="http://foo.com/"><strong>dolor</a></strong> sit<br/>amet <script>alert("hello world");',
+
+      :default    => 'Lorem dolor sit amet alert("hello world");',
+      :restricted => 'Lorem <strong>dolor</strong> sit amet alert("hello world");',
+      :basic      => 'Lorem <a href="pants" rel="nofollow"><strong>dolor</strong></a> sit<br>amet alert("hello world");',
+      :relaxed    => 'Lorem <a href="pants" title="foo&gt;ipsum &lt;a href="><strong>dolor</strong></a> sit<br>amet alert("hello world");',
+    },
+
+    :unclosed => {
+      :html       => '<p>a</p><blockquote>b',
+
+      :default    => ' a  b ',
+      :restricted => ' a  b ',
+      :basic      => '<p>a</p><blockquote>b</blockquote>',
+      :relaxed    => '<p>a</p><blockquote>b</blockquote>'
+    },
+
+    :malicious => {
+      :html       => '<b>Lo<!-- comment -->rem</b> <a href="javascript:pants" title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br/>amet <<foo>script>alert("hello world");</script>',
+
+      :default    => 'Lorem ipsum dolor sit amet &lt;script&gt;alert("hello world");',
+      :restricted => '<b>Lorem</b> ipsum <strong>dolor</strong> sit amet &lt;script&gt;alert("hello world");',
+      :basic      => '<b>Lorem</b> <a rel="nofollow">ipsum</a> <a href="http://foo.com/" rel="nofollow"><strong>dolor</strong></a> sit<br>amet &lt;script&gt;alert("hello world");',
+      :relaxed    => '<b>Lorem</b> <a title="foo">ipsum</a> <a href="http://foo.com/"><strong>dolor</strong></a> sit<br>amet &lt;script&gt;alert("hello world");'
+    }
+  }
+
+  protocols = {
+    'protocol-based JS injection: simple, no spaces' => {
+      :html       => '<a href="javascript:alert(\'XSS\');">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: simple, spaces before' => {
+      :html       => '<a href="javascript    :alert(\'XSS\');">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: simple, spaces after' => {
+      :html       => '<a href="javascript:    alert(\'XSS\');">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: simple, spaces before and after' => {
+      :html       => '<a href="javascript    :   alert(\'XSS\');">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: preceding colon' => {
+      :html       => '<a href=":javascript:alert(\'XSS\');">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: UTF-8 encoding' => {
+      :html       => '<a href="javascript&#58;">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: long UTF-8 encoding' => {
+      :html       => '<a href="javascript&#0058;">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: long UTF-8 encoding without semicolons' => {
+      :html       => '<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: hex encoding' => {
+      :html       => '<a href="javascript&#x3A;">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: long hex encoding' => {
+      :html       => '<a href="javascript&#x003A;">foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: hex encoding without semicolons' => {
+      :html       => '<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>foo</a>',
+      :default    => 'foo',
+      :restricted => 'foo',
+      :basic      => '<a rel="nofollow">foo</a>',
+      :relaxed    => '<a>foo</a>'
+    },
+
+    'protocol-based JS injection: null char' => {
+      :html       => "<img src=java\0script:alert(\"XSS\")>",
+      :default    => '',
+      :restricted => '',
+      :basic      => '',
+      :relaxed    => '<img>'
+    },
+
+    'protocol-based JS injection: invalid URL char' => {
+      :html       => '<img src=java\script:alert("XSS")>',
+      :default    => '',
+      :restricted => '',
+      :basic      => '',
+      :relaxed    => '<img>'
+    },
+
+    'protocol-based JS injection: spaces and entities' => {
+      :html       => '<img src=" &#14;  javascript:alert(\'XSS\');">',
+      :default    => '',
+      :restricted => '',
+      :basic      => '',
+      :relaxed    => '<img>'
+    }
+  }
+
+  describe 'Default config' do
+    it 'should remove non-whitelisted elements, leaving safe contents behind' do
+      Sanitize.fragment('foo <b>bar</b> <strong><a href="#a">baz</a></strong> quux')
+        .must_equal 'foo bar baz quux'
+
+      Sanitize.fragment('<script>alert("<xss>");</script>')
+        .must_equal 'alert("&lt;xss&gt;");'
+
+      Sanitize.fragment('<<script>script>alert("<xss>");</<script>>')
+        .must_equal '&lt;script&gt;alert("&lt;xss&gt;");&lt;/&lt;script&gt;&gt;'
+
+      Sanitize.fragment('< script <>> alert("<xss>");</script>')
+        .must_equal '&lt; script &lt;&gt;&gt; alert("");'
+    end
+
+    it 'should surround the contents of :whitespace_elements with space characters when removing the element' do
+      Sanitize.fragment('foo<div>bar</div>baz')
+        .must_equal 'foo bar baz'
+
+      Sanitize.fragment('foo<br>bar<br>baz')
+        .must_equal 'foo bar baz'
+
+      Sanitize.fragment('foo<hr>bar<hr>baz')
+        .must_equal 'foo bar baz'
+    end
+
+    it 'should not choke on several instances of the same element in a row' do
+      Sanitize.fragment('<img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif"><img src="http://www.google.com/intl/en_ALL/images/logo.gif">')
+        .must_equal ''
+    end
+
+    strings.each do |name, data|
+      it "should clean #{name} HTML" do
+        Sanitize.fragment(data[:html]).must_equal(data[:default])
+      end
+    end
+
+    protocols.each do |name, data|
+      it "should not allow #{name}" do
+        Sanitize.fragment(data[:html]).must_equal(data[:default])
+      end
+    end
+  end
+
+  describe 'Restricted config' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RESTRICTED)
+    end
+
+    strings.each do |name, data|
+      it "should clean #{name} HTML" do
+        @s.fragment(data[:html]).must_equal(data[:restricted])
+      end
+    end
+
+    protocols.each do |name, data|
+      it "should not allow #{name}" do
+        @s.fragment(data[:html]).must_equal(data[:restricted])
+      end
+    end
+  end
+
+  describe 'Basic config' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::BASIC)
+    end
+
+    it 'should not choke on valueless attributes' do
+      @s.fragment('foo <a href>foo</a> bar')
+        .must_equal 'foo <a href="" rel="nofollow">foo</a> bar'
+    end
+
+    it 'should downcase attribute names' do
+      @s.fragment('<a HREF="javascript:alert(\'foo\')">bar</a>')
+        .must_equal '<a rel="nofollow">bar</a>'
+    end
+
+    strings.each do |name, data|
+      it "should clean #{name} HTML" do
+        @s.fragment(data[:html]).must_equal(data[:basic])
+      end
+    end
+
+    protocols.each do |name, data|
+      it "should not allow #{name}" do
+        @s.fragment(data[:html]).must_equal(data[:basic])
+      end
+    end
+  end
+
+  describe 'Relaxed config' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'should encode special chars in attribute values' do
+      @s.fragment('<a href="http://example.com" title="<b>&eacute;xamples</b> & things">foo</a>')
+        .must_equal '<a href="http://example.com" title="&lt;b&gt;éxamples&lt;/b&gt; &amp; things">foo</a>'
+    end
+
+    strings.each do |name, data|
+      it "should clean #{name} HTML" do
+        @s.fragment(data[:html]).must_equal(data[:relaxed])
+      end
+    end
+
+    protocols.each do |name, data|
+      it "should not allow #{name}" do
+        @s.fragment(data[:html]).must_equal(data[:relaxed])
+      end
+    end
+  end
+
+  describe 'Custom configs' do
+    it 'should allow attributes on all elements if whitelisted under :all' do
+      input = '<p class="foo">bar</p>'
+
+      Sanitize.fragment(input).must_equal ' bar '
+
+      Sanitize.fragment(input, {
+        :elements   => ['p'],
+        :attributes => {:all => ['class']}
+      }).must_equal input
+
+      Sanitize.fragment(input, {
+        :elements   => ['p'],
+        :attributes => {'div' => ['class']}
+      }).must_equal '<p>bar</p>'
+
+      Sanitize.fragment(input, {
+        :elements   => ['p'],
+        :attributes => {'p' => ['title'], :all => ['class']}
+      }).must_equal input
+    end
+
+    it 'should allow relative URLs containing colons when the colon is not in the first path segment' do
+      input = '<a href="/wiki/Special:Random">Random Page</a>'
+
+      Sanitize.fragment(input, {
+        :elements   => ['a'],
+        :attributes => {'a' => ['href']},
+        :protocols  => {'a' => {'href' => [:relative]}}
+      }).must_equal input
+    end
+
+    it 'should allow relative URLs containing colons when the colon is part of an anchor' do
+      input = '<a href="#fn:1">Footnote 1</a>'
+
+      Sanitize.fragment(input, {
+        :elements   => ['a'],
+        :attributes => {'a' => ['href']},
+        :protocols  => {'a' => {'href' => [:relative]}}
+      }).must_equal input
+
+      input = '<a href="somepage#fn:1">Footnote 1</a>'
+
+      Sanitize.fragment(input, {
+        :elements   => ['a'],
+        :attributes => {'a' => ['href']},
+        :protocols  => {'a' => {'href' => [:relative]}}
+      }).must_equal input
+    end
+
+    it 'should remove the contents of filtered nodes when :remove_contents is true' do
+      Sanitize.fragment('foo bar <div>baz<span>quux</span></div>',
+        :remove_contents => true
+      ).must_equal 'foo bar   '
+    end
+
+    it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as strings' do
+      Sanitize.fragment('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>',
+        :remove_contents => ['script', 'span']
+      ).must_equal 'foo bar  baz '
+    end
+
+    it 'should remove the contents of specified nodes when :remove_contents is an Array of element names as symbols' do
+      Sanitize.fragment('foo bar <div>baz<span>quux</span><script>alert("hello!");</script></div>',
+        :remove_contents => [:script, :span]
+      ).must_equal 'foo bar  baz '
+    end
+
+    it 'should not allow arbitrary HTML5 data attributes by default' do
+      Sanitize.fragment('<b data-foo="bar"></b>',
+        :elements => ['b']
+      ).must_equal '<b></b>'
+
+      Sanitize.fragment('<b class="foo" data-foo="bar"></b>',
+        :attributes => {'b' => ['class']},
+        :elements   => ['b']
+      ).must_equal '<b class="foo"></b>'
+    end
+
+    it 'should allow arbitrary HTML5 data attributes when the :attributes config includes :data' do
+      s = Sanitize.new(
+        :attributes => {'b' => [:data]},
+        :elements   => ['b']
+      )
+
+      s.fragment('<b data-foo="valid" data-bar="valid"></b>')
+        .must_equal '<b data-foo="valid" data-bar="valid"></b>'
+
+      s.fragment('<b data-="invalid"></b>')
+        .must_equal '<b></b>'
+
+      s.fragment('<b data-="invalid"></b>')
+        .must_equal '<b></b>'
+
+      s.fragment('<b data-xml="invalid"></b>')
+        .must_equal '<b></b>'
+
+      s.fragment('<b data-xmlfoo="invalid"></b>')
+        .must_equal '<b></b>'
+
+      s.fragment('<b data-f:oo="valid"></b>')
+        .must_equal '<b></b>'
+
+      s.fragment('<b data-f/oo="partial"></b>')
+        .must_equal '<b data-f=""></b>' # Nokogiri quirk; not ideal, but harmless
+
+      s.fragment('<b data-éfoo="valid"></b>')
+        .must_equal '<b></b>' # Another annoying Nokogiri quirk.
+    end
+
+    it 'should replace whitespace_elements with configured :before and :after values' do
+      s = Sanitize.new(
+        :whitespace_elements => {
+          'p'   => { :before => "\n", :after => "\n" },
+          'div' => { :before => "\n", :after => "\n" },
+          'br'  => { :before => "\n", :after => "\n" },
+        }
+      )
+
+      s.fragment('<p>foo</p>').must_equal "\nfoo\n"
+      s.fragment('<p>foo</p><p>bar</p>').must_equal "\nfoo\n\nbar\n"
+      s.fragment('foo<div>bar</div>baz').must_equal "foo\nbar\nbaz"
+      s.fragment('foo<br>bar<br>baz').must_equal "foo\nbar\nbaz"
+    end
+  end
+
+end