# frozen_string_literal: true
RSpec.describe :sanitize_html do
link :sanitize_html, from: :ree_text
context "nested tags" do
it {
expect(sanitize_html(
'alert("XSS");/',
tags: %w(em)
)
).to eq('<script>alert("XSS");</script>')
expect(sanitize_html(
'alert("XSS");/',
tags: %w(em)
)
).to eq('<script>alert("XSS");</script>')
}
end
context "uri escaping" do
it {
expect(sanitize_html(%{test}))
.to eq(%{test})
expect(sanitize_html(%{test}))
.to eq(%{test})
expect(sanitize_html(%{test}))
.to eq(%{test})
expect(sanitize_html(
%{test},
attributes: ['action']
)
).to eq(%{test})
}
end
context "exclude node" do
it {
expect(sanitize_html("text
text")).to eq("text
text")
expect(sanitize_html("text
text")).to eq("text
text")
}
end
context "general" do
it {
expect(sanitize_html("foo", tags: %w(u))).to eq("foo")
expect(sanitize_html("foo with bar", tags: %w(u))).to eq("foo with bar")
expect(sanitize_html(%(foo
))).to eq(%(foo
))
expect(sanitize_html(%(foo), attributes: ['data-foo'])).to eq(%(foo))
expect(sanitize_html("")).to eq("")
expect(sanitize_html('', attributes: %w(foo))).to eq('')
expect(sanitize_html('', tags: %w(u))).to eq('')
expect(sanitize_html('', tags: %w(a))).to eq('')
expect(sanitize_html("foo", tags: %w(u))).to eq("foo")
expect(sanitize_html('', attributes: %w(bar))).to eq('')
expect(sanitize_html("foo with bar", tags: %w(u))).to eq("foo with bar")
expect(sanitize_html('leave me now', prune: true, tags: %w(u))).to eq("leave me ")
expect(
sanitize_html(
%(Lorem ipsum
),
attributes: ['foo']
)
).to eq(%(Lorem ipsum
))
expect(
sanitize_html(
'',
attributes: %w(style)
)
).to eq('')
}
end
end