test/html5/test_sanitizer.rb in loofah-1.2.1 vs test/html5/test_sanitizer.rb in loofah-2.0.0
- old
+ new
@@ -86,10 +86,19 @@
end
check_sanitization(input, htmloutput, output, output)
end
end
+ def test_should_allow_data_attributes
+ input = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
+
+ output = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
+ htmloutput = "<p data-foo='foo'>foo <bad>bar</bad> baz</p>"
+
+ check_sanitization(input, htmloutput, output, output)
+ end
+
##
## libxml2 downcases attributes, so this is moot.
##
# HTML5::WhiteList::ALLOWED_ATTRIBUTES.each do |attribute_name|
# define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do
@@ -144,10 +153,15 @@
xhtmloutput = "<#{tag_name}></#{tag_name}>"
check_sanitization(input, output, xhtmloutput, xhtmloutput)
end
end
+ def test_figure_element_is_valid
+ fragment = Loofah.scrub_fragment("<span>hello</span> <figure>asd</figure>", :prune)
+ assert fragment.at_css("figure"), "<figure> tag was scrubbed"
+ end
+
##
## as tenderlove says, "care < 0"
##
# def test_should_handle_astral_plane_characters
# input = "<p>𝒵 𝔸</p>"
@@ -160,11 +174,11 @@
# end
# This affects only NS4. Is it worth fixing?
# def test_javascript_includes
# input = %(<div size="&{alert('XSS')}">foo</div>)
-# output = "<div>foo</div>"
+# output = "<div>foo</div>"
# check_sanitization(input, output, output, output)
# end
##
## these tests primarily test the parser logic, not the sanitizer
@@ -185,11 +199,11 @@
end
end
end
## added because we don't have any coverage above on SVG_ATTR_VAL_ALLOWS_REF
- HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|
+ HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.each do |attr_name|
define_method "test_should_allow_uri_refs_in_svg_attribute_#{attr_name}" do
input = "<rect fill='url(#foo)' />"
output = "<rect fill='url(#foo)'></rect>"
check_sanitization(input, output, output, output)
end
@@ -197,9 +211,15 @@
define_method "test_absolute_uri_refs_in_svg_attribute_#{attr_name}" do
input = "<rect fill='url(http://bad.com/) #fff' />"
output = "<rect fill=' #fff'></rect>"
check_sanitization(input, output, output, output)
end
+ end
+
+ def test_css_negative_value_sanitization
+ html = "<span style=\"letter-spacing:-0.03em;\">"
+ sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+ assert_match %r/-0.03em/, sane.inner_html
end
end
# <html5_license>
#