require "test_helper"
class HtmlSanitizerTest < Minitest::Test
test "disallow a script tag" do
html = ""
assert_equal "alert('XSS')", Govspeak::HtmlSanitizer.new(html).sanitize
end
test "disallow a javascript protocol in an attribute" do
html = %q{an example}
assert_equal "an example", Govspeak::HtmlSanitizer.new(html).sanitize
end
test "disallow on* attributes" do
html = %q{Link}
assert_equal "Link", Govspeak::HtmlSanitizer.new(html).sanitize
end
test "allow non-JS HTML content" do
html = ""
assert_equal "", Govspeak::HtmlSanitizer.new(html).sanitize
end
test "keep things that should be HTML entities" do
html = "Fortnum & Mason"
assert_equal "Fortnum & Mason", Govspeak::HtmlSanitizer.new(html).sanitize
end
test "allows images on whitelisted domains" do
html = "
"
sanitized_html = Govspeak::HtmlSanitizer.new(html, allowed_image_hosts: ['allowed.com']).sanitize
assert_equal "![](\"http://allowed.com/image.jgp\")
", sanitized_html
end
test "removes images not on whitelisted domains" do
html = "
"
assert_equal "", Govspeak::HtmlSanitizer.new(html, allowed_image_hosts: ['allowed.com']).sanitize
end
test "can strip images" do
html = "
"
assert_equal "", Govspeak::HtmlSanitizer.new(html).sanitize_without_images
end
test "allows table cells and table headings without a style attribute" do
html = "thing | thing | "
assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
end
test "allows valid text-align properties on the style attribute for table cells and table headings" do
["left", "right", "center"].each do |alignment|
html = "thing | thing | "
assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
end
[
"width: 10000px",
"text-align: middle",
"text-align: left; width: 10px",
"background-image: url(javascript:alert('XSS'))",
"expression(alert('XSS'));"
].each do |style|
html = "thing | thing | "
assert_equal 'thing | thing | ', Govspeak::HtmlSanitizer.new(html).sanitize
end
end
end