Sha256: 96c6f9261182f6d3458581b103fae755cf2402975cff678b38eebb5714a6af6f
Contents?: true
Size: 1.66 KB
Versions: 8
Compression:
Stored size: 1.66 KB
Contents
# encoding: utf-8
require_relative 'common'
describe 'Sanitize::Transformers::CSS::CleanAttribute' do
make_my_diffs_pretty!
parallelize_me!
before do
@s = Sanitize.new(Sanitize::Config::RELAXED)
end
it 'should sanitize CSS properties in style attributes' do
_(@s.fragment(%[
<div style="color: #fff; width: expression(alert(1)); /* <-- evil! */"></div>
].strip)).must_equal %[
<div style="color: #fff; /* <-- evil! */"></div>
].strip
end
it 'should remove the style attribute if the sanitized CSS is empty' do
_(@s.fragment('<div style="width: expression(alert(1))"></div>')).
must_equal '<div></div>'
end
end
describe 'Sanitize::Transformers::CSS::CleanElement' do
make_my_diffs_pretty!
parallelize_me!
before do
@s = Sanitize.new(Sanitize::Config::RELAXED)
end
it 'should sanitize CSS stylesheets in <style> elements' do
html = %[
<style>@import url(evil.css);
/* Yay CSS! */
.foo { color: #fff; }
#bar { background: url(yay.jpg); bogus: wtf; }
.evil { width: expression(xss()); }
@media screen (max-width:480px) {
.foo { width: 400px; }
#bar:not(.baz) { height: 100px; }
}
</style>
].strip
_(@s.fragment(html)).must_equal %[
<style>
/* Yay CSS! */
.foo { color: #fff; }
#bar { background: url(yay.jpg); }
.evil { }
@media screen (max-width:480px) {
.foo { width: 400px; }
#bar:not(.baz) { height: 100px; }
}
</style>
].strip
end
it 'should remove the <style> element if the sanitized CSS is empty' do
_(@s.fragment('<style></style>')).must_equal ''
end
end
Version data entries
8 entries across 8 versions & 2 rubygems