sanitize 2.1.1 → 3.0.0

data/test/test_sanitize_css.rb

@@ -0,0 +1,222 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Sanitize::CSS' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  describe 'instance methods' do
+    before do
+      @default = Sanitize::CSS.new
+      @relaxed = Sanitize::CSS.new(Sanitize::Config::RELAXED[:css])
+      @custom  = Sanitize::CSS.new(:properties => %w[background color width])
+    end
+
+    describe '#properties' do
+      it 'should sanitize CSS properties' do
+        css = 'background: #fff; width: expression(alert("hi"));'
+
+        @default.properties(css).must_equal ' '
+        @relaxed.properties(css).must_equal 'background: #fff; '
+        @custom.properties(css).must_equal 'background: #fff; '
+      end
+
+      it 'should allow whitelisted URL protocols' do
+        [
+          "background: url(relative.jpg)",
+          "background: url('relative.jpg')",
+          "background: url(http://example.com/http.jpg)",
+          "background: url('ht\\tp://example.com/http.jpg')",
+          "background: url(https://example.com/https.jpg)",
+          "background: url('https://example.com/https.jpg')",
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal css
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow non-whitelisted URL protocols' do
+        [
+          "background: url(javascript:alert(0))",
+          "background: url(ja\\56 ascript:alert(0))",
+          "background: url('javascript:foo')",
+          "background: url('ja\\56 ascript:alert(0)')",
+          "background: url('ja\\va\\script\\:alert(0)')",
+          "background: url('javas\\\ncript:alert(0)')",
+          "background: url('java\\0script:foo')"
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal ''
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow -moz-binding' do
+        css = "-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')"
+
+        @default.properties(css).must_equal ''
+        @relaxed.properties(css).must_equal ''
+        @custom.properties(css).must_equal ''
+      end
+
+      it 'should not allow expressions' do
+        [
+          "width:expression(alert(1))",
+          "width:  /**/expression(alert(1)",
+          "width:e\\78 pression(\n\nalert(\n1)",
+          "width:\nexpression(alert(1));",
+          "xss:expression(alert(1))",
+          "height: foo(expression(alert(1)));"
+        ].each do |css|
+          @default.properties(css).must_equal ''
+          @relaxed.properties(css).must_equal ''
+          @custom.properties(css).must_equal ''
+        end
+      end
+
+      it 'should not allow behaviors' do
+        css = "behavior: url(xss.htc);"
+
+        @default.properties(css).must_equal ''
+        @relaxed.properties(css).must_equal ''
+        @custom.properties(css).must_equal ''
+      end
+
+      describe 'when :allow_comments is true' do
+        it 'should preserve comments' do
+          @relaxed.properties('color: #fff; /* comment */ width: 100px;')
+            .must_equal 'color: #fff; /* comment */ width: 100px;'
+
+          @relaxed.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+            .must_equal "color: #fff; /* \n\ncomment */ width: 100px;"
+        end
+      end
+
+      describe 'when :allow_comments is false' do
+        it 'should strip comments' do
+          @custom.properties('color: #fff; /* comment */ width: 100px;')
+            .must_equal 'color: #fff;  width: 100px;'
+
+          @custom.properties("color: #fff; /* \n\ncomment */ width: 100px;")
+            .must_equal 'color: #fff;  width: 100px;'
+        end
+      end
+
+      describe 'when :allow_hacks is true' do
+        it 'should allow common CSS hacks' do
+          @relaxed.properties('_border: 1px solid #fff; *width: 10px')
+            .must_equal '_border: 1px solid #fff; *width: 10px'
+        end
+      end
+
+      describe 'when :allow_hacks is false' do
+        it 'should not allow common CSS hacks' do
+          @custom.properties('_border: 1px solid #fff; *width: 10px')
+            .must_equal ' '
+        end
+      end
+    end
+
+    describe '#stylesheet' do
+      it 'should sanitize a CSS stylesheet' do
+        css = %[
+          /* Yay CSS! */
+          .foo { color: #fff; }
+          #bar { background: url(yay.jpg); }
+
+          @media screen (max-width:480px) {
+            .foo { width: 400px; }
+            #bar:not(.baz) { height: 100px; }
+          }
+        ].strip
+
+        @default.stylesheet(css).strip.must_equal %[
+          .foo {  }
+          #bar {  }
+        ].strip
+
+        @relaxed.stylesheet(css).must_equal css
+
+        @custom.stylesheet(css).strip.must_equal %[
+          .foo { color: #fff; }
+          #bar {  }
+        ].strip
+      end
+
+      describe 'when :allow_comments is true' do
+        it 'should preserve comments' do
+          @relaxed.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+            .must_equal '.foo { color: #fff; /* comment */ width: 100px; }'
+
+          @relaxed.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+            .must_equal ".foo { color: #fff; /* \n\ncomment */ width: 100px; }"
+        end
+      end
+
+      describe 'when :allow_comments is false' do
+        it 'should strip comments' do
+          @custom.stylesheet('.foo { color: #fff; /* comment */ width: 100px; }')
+            .must_equal '.foo { color: #fff;  width: 100px; }'
+
+          @custom.stylesheet(".foo { color: #fff; /* \n\ncomment */ width: 100px; }")
+            .must_equal '.foo { color: #fff;  width: 100px; }'
+        end
+      end
+
+      describe 'when :allow_hacks is true' do
+        it 'should allow common CSS hacks' do
+          @relaxed.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+            .must_equal '.foo { _border: 1px solid #fff; *width: 10px }'
+        end
+      end
+
+      describe 'when :allow_hacks is false' do
+        it 'should not allow common CSS hacks' do
+          @custom.stylesheet('.foo { _border: 1px solid #fff; *width: 10px }')
+            .must_equal '.foo {  }'
+        end
+      end
+    end
+
+    describe '#tree!' do
+      it 'should sanitize a Crass CSS parse tree' do
+        tree = Crass.parse("@import url(foo.css);\n" <<
+          ".foo { background: #fff; font: 16pt 'Comic Sans MS'; }\n" <<
+          "#bar { top: 125px; background: green; }")
+
+        @custom.tree!(tree).must_be_same_as tree
+
+        Crass::Parser.stringify(tree).must_equal "\n" <<
+            ".foo { background: #fff;  }\n" <<
+            "#bar {  background: green; }"
+      end
+    end
+  end
+
+  describe 'class methods' do
+    describe '.properties' do
+      it 'should call #properties' do
+        Sanitize::CSS.stub_instance(:properties, proc {|css| css + 'bar' }) do
+          Sanitize::CSS.properties('foo').must_equal 'foobar'
+        end
+      end
+    end
+
+    describe '.stylesheet' do
+      it 'should call #stylesheet' do
+        Sanitize::CSS.stub_instance(:stylesheet, proc {|css| css + 'bar' }) do
+          Sanitize::CSS.stylesheet('foo').must_equal 'foobar'
+        end
+      end
+    end
+
+    describe '.tree!' do
+      it 'should call #tree!' do
+        Sanitize::CSS.stub_instance(:tree!, proc {|tree| tree + 'bar' }) do
+          Sanitize::CSS.tree!('foo').must_equal 'foobar'
+        end
+      end
+    end
+  end
+end

data/test/test_transformers.rb

@@ -0,0 +1,144 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Transformers' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  youtube_transformer = lambda do |env|
+    node      = env[:node]
+    node_name = env[:node_name]
+
+    # Don't continue if this node is already whitelisted or is not an element.
+    return if env[:is_whitelisted] || !node.element?
+
+    # Don't continue unless the node is an iframe.
+    return unless node_name == 'iframe'
+
+    # Verify that the video URL is actually a valid YouTube video URL.
+    return unless node['src'] =~ %r|\A(?:https?:)?//(?:www\.)?youtube(?:-nocookie)?\.com/|
+
+    # We're now certain that this is a YouTube embed, but we still need to run
+    # it through a special Sanitize step to ensure that no unwanted elements or
+    # attributes that don't belong in a YouTube embed can sneak in.
+    Sanitize.node!(node, {
+      :elements => %w[iframe],
+
+      :attributes => {
+        'iframe'  => %w[allowfullscreen frameborder height src width]
+      }
+    })
+
+    # Now that we're sure that this is a valid YouTube embed and that there are
+    # no unwanted elements or attributes hidden inside it, we can tell Sanitize
+    # to whitelist the current node.
+    {:node_whitelist => [node]}
+  end
+
+  it 'should receive a complete env Hash as input' do
+    Sanitize.fragment('<SPAN>foo</SPAN>',
+      :foo => :bar,
+      :transformers => lambda {|env|
+        return unless env[:node].element?
+
+        env[:config][:foo].must_equal :bar
+        env[:is_whitelisted].must_equal false
+        env[:node].must_be_kind_of Nokogiri::XML::Node
+        env[:node_name].must_equal 'span'
+        env[:node_whitelist].must_be_kind_of Set
+        env[:node_whitelist].must_be_empty
+      }
+    )
+  end
+
+  it 'should traverse all node types, including the fragment itself' do
+    nodes = []
+
+    Sanitize.fragment('<div>foo</div><!--bar--><script>cdata!</script>',
+      :transformers => proc {|env| nodes << env[:node_name] }
+    )
+
+    nodes.must_equal %w[
+      #document-fragment div text text text comment script text
+    ]
+  end
+
+  it 'should perform top-down traversal' do
+    nodes = []
+
+    Sanitize.fragment('<div><span><strong>foo</strong></span><b></b></div><p>bar</p>',
+      :transformers => proc {|env| nodes << env[:node_name] if env[:node].element? }
+    )
+
+    nodes.must_equal %w[div span strong b p]
+  end
+
+  it 'should whitelist nodes in the node whitelist' do
+    Sanitize.fragment('<div class="foo">foo</div><span>bar</span>',
+      :transformers => [
+        proc {|env|
+          {:node_whitelist => [env[:node]]} if env[:node_name] == 'div'
+        },
+
+        proc {|env|
+          env[:is_whitelisted].must_equal false unless env[:node_name] == 'div'
+          env[:is_whitelisted].must_equal true if env[:node_name] == 'div'
+          env[:node_whitelist].must_include env[:node] if env[:node_name] == 'div'
+        }
+      ]
+    ).must_equal '<div class="foo">foo</div>bar'
+  end
+
+  it 'should clear the node whitelist after each fragment' do
+    called = false
+
+    Sanitize.fragment('<div>foo</div>',
+      :transformers => proc {|env| {:node_whitelist => [env[:node]]}}
+    )
+
+    Sanitize.fragment('<div>foo</div>',
+      :transformers => proc {|env|
+        called = true
+        env[:is_whitelisted].must_equal false
+        env[:node_whitelist].must_be_empty
+      }
+    )
+
+    called.must_equal true
+  end
+
+  it 'should allow YouTube video embeds via the YouTube transformer' do
+    input = '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+    Sanitize.fragment(input, :transformers => youtube_transformer)
+      .must_equal '<iframe width="420" height="315" src="http://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+  end
+
+  it 'should allow https YouTube video embeds via the YouTube transformer' do
+    input = '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+    Sanitize.fragment(input, :transformers => youtube_transformer)
+      .must_equal '<iframe width="420" height="315" src="https://www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+  end
+
+  it 'should allow protocol-relative YouTube video embeds via the YouTube transformer' do
+    input = '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+    Sanitize.fragment(input, :transformers => youtube_transformer)
+      .must_equal '<iframe width="420" height="315" src="//www.youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+  end
+
+  it 'should allow privacy-enhanced YouTube video embeds via the YouTube transformer' do
+    input = '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen bogus="bogus"><script>alert()</script></iframe>'
+
+    Sanitize.fragment(input, :transformers => youtube_transformer)
+      .must_equal '<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen="">&lt;script&gt;alert()&lt;/script&gt;</iframe>'
+  end
+
+  it 'should not allow non-YouTube video embeds via the YouTube transformer' do
+    input = '<iframe width="420" height="315" src="http://www.fake-youtube.com/embed/QH2-TGUlwu4" frameborder="0" allowfullscreen></iframe>'
+
+    Sanitize.fragment(input, :transformers => youtube_transformer)
+      .must_equal('')
+  end
+end

data/test/test_unicode.rb

@@ -0,0 +1,84 @@
+# encoding: utf-8
+require_relative 'common'
+
+describe 'Unicode' do
+  make_my_diffs_pretty!
+  parallelize_me!
+
+  # http://www.w3.org/TR/unicode-xml/#Charlist
+  describe 'Unsuitable characters' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'should strip deprecated grave and acute clones' do
+      @s.document("a\u0340b\u0341c").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u0340b\u0341c").must_equal 'abc'
+    end
+
+    it 'should strip deprecated Khmer characters' do
+      @s.document("a\u17a3b\u17d3c").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u17a3b\u17d3c").must_equal 'abc'
+    end
+
+    it 'should strip line and paragraph separator punctuation' do
+      @s.document("a\u2028b\u2029c").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u2028b\u2029c").must_equal 'abc'
+    end
+
+    it 'should strip bidi embedding control characters' do
+      @s.document("a\u202ab\u202bc\u202cd\u202de\u202e")
+        .must_equal "<html><head></head><body>abcde</body></html>\n"
+
+      @s.fragment("a\u202ab\u202bc\u202cd\u202de\u202e")
+        .must_equal 'abcde'
+    end
+
+    it 'should strip deprecated symmetric swapping characters' do
+      @s.document("a\u206ab\u206bc").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u206ab\u206bc").must_equal 'abc'
+    end
+
+    it 'should strip deprecated Arabic form shaping characters' do
+      @s.document("a\u206cb\u206dc").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u206cb\u206dc").must_equal 'abc'
+    end
+
+    it 'should strip deprecated National digit shape characters' do
+      @s.document("a\u206eb\u206fc").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\u206eb\u206fc").must_equal 'abc'
+    end
+
+    it 'should strip interlinear annotation characters' do
+      @s.document("a\ufff9b\ufffac\ufffb").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\ufff9b\ufffac\ufffb").must_equal 'abc'
+    end
+
+    it 'should strip BOM/zero-width non-breaking space characters' do
+      @s.document("a\ufeffbc").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\ufeffbc").must_equal 'abc'
+    end
+
+    it 'should strip object replacement characters' do
+      @s.document("a\ufffcbc").must_equal "<html><head></head><body>abc</body></html>\n"
+      @s.fragment("a\ufffcbc").must_equal 'abc'
+    end
+
+    it 'should strip musical notation scoping characters' do
+      @s.document("a\u{1d173}b\u{1d174}c\u{1d175}d\u{1d176}e\u{1d177}f\u{1d178}g\u{1d179}h\u{1d17a}")
+        .must_equal "<html><head></head><body>abcdefgh</body></html>\n"
+
+      @s.fragment("a\u{1d173}b\u{1d174}c\u{1d175}d\u{1d176}e\u{1d177}f\u{1d178}g\u{1d179}h\u{1d17a}")
+        .must_equal 'abcdefgh'
+    end
+
+    it 'should strip language tag code point characters' do
+      str = 'a'
+      (0xE0000..0xE007F).each {|n| str << [n].pack('U') }
+      str << 'b'
+
+      @s.document(str).must_equal "<html><head></head><body>ab</body></html>\n"
+      @s.fragment(str).must_equal 'ab'
+    end
+  end
+end