afan
/
gitea
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
gitea源码
3 Revīzijas
2 Atzari
Atzars: master
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'master'
${ noResults }
gitea/modules/markup/sanitizer_default_test.go

sanitizer_default_test.go 4.3KB
Patstāvīgā saite Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Copyright 2017 The Gogs Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. package markup

  6. 

  7. import (

  8. 	"testing"

  9. 

  10. 	"github.com/stretchr/testify/assert"

  11. )

  12. 

  13. func TestSanitizer(t *testing.T) {

  14. 	testCases := []string{

  15. 		// Regular

  16. 		`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`,

  17. 		"<scrİpt>&lt;script&gt;alert(document.domain)&lt;/script&gt;</scrİpt>", "&lt;script&gt;alert(document.domain)&lt;/script&gt;",

  18. 

  19. 		// Code highlighting class

  20. 		`<code class="random string"></code>`, `<code></code>`,

  21. 		`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,

  22. 		`<span class="k"></span><span class="nb"></span>`, `<span class="k"></span><span class="nb"></span>`,

  23. 

  24. 		// Input checkbox

  25. 		`<input type="hidden">`, ``,

  26. 		`<input type="checkbox">`, `<input type="checkbox">`,

  27. 		`<input checked disabled autofocus>`, `<input checked="" disabled="">`,

  28. 

  29. 		// Code highlight injection

  30. 		`<code class="language-random&#32;ui&#32;tab&#32;active&#32;menu&#32;attached&#32;animating&#32;sidebar&#32;following&#32;bar&#32;center"></code>`, `<code></code>`,

  31. 		`<code class="language-lol&#32;ui&#32;tab&#32;active&#32;menu&#32;attached&#32;animating&#32;sidebar&#32;following&#32;bar&#32;center">

  32. <code class="language-lol&#32;ui&#32;container&#32;input&#32;huge&#32;basic&#32;segment&#32;center">&nbsp;</code>

  33. <img src="https://try.gogs.io/img/favicon.png" width="200" height="200">

  34. <code class="language-lol&#32;ui&#32;container&#32;input&#32;massive&#32;basic&#32;segment">Hello there! Something has gone wrong, we are working on it.</code>

  35. <code class="language-lol&#32;ui&#32;container&#32;input&#32;huge&#32;basic&#32;segment">In the meantime, play a game with us at&nbsp;<a href="http://example.com/">example.com</a>.</code>

  36. </code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>",

  37. 

  38. 		// <kbd> tags

  39. 		`<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`,

  40. 		`<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`,

  41. 		`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,

  42. 		`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,

  43. 

  44. 		// Color property

  45. 		`<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`,

  46. 		`<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`,

  47. 		`<code style="color: red">Hello World</code>`, `<code>Hello World</code>`,

  48. 		`<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`,

  49. 		`<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`,

  50. 		`<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,

  51. 

  52. 		// Org mode status of list items.

  53. 		`<li class="checked"></li>`, `<li class="checked"></li>`,

  54. 		`<li class="unchecked"></li>`, `<li class="unchecked"></li>`,

  55. 		`<li class="indeterminate"></li>`, `<li class="indeterminate"></li>`,

  56. 

  57. 		// URLs

  58. 		`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,

  59. 		`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,

  60. 

  61. 		// Disallow dangerous url schemes

  62. 		`<a href="javascript:alert('xss')">bad</a>`, `bad`,

  63. 		`<a href="vbscript:no">bad</a>`, `bad`,

  64. 		`<a href="data:1234">bad</a>`, `bad`,

  65. 

  66. 		// Some classes and attributes are used by the frontend framework and will execute JS code, so make sure they are removed

  67. 		`<div class="link-action" data-attr-class="foo" data-url="xxx">txt</div>`, `<div data-attr-class="foo">txt</div>`,

  68. 		`<div class="form-fetch-action" data-markdown-generated-content="bar" data-global-init="a" data-global-click="b">txt</div>`, `<div data-markdown-generated-content="bar">txt</div>`,

  69. 	}

  70. 

  71. 	for i := 0; i < len(testCases); i += 2 {

  72. 		assert.Equal(t, testCases[i+1], string(Sanitize(testCases[i])))

  73. 	}

  74. }