test/html5/test_sanitizer.rb in loofah-2.1.1 vs test/html5/test_sanitizer.rb in loofah-2.2.0

@@ -18,13 +18,13 @@
   end
 
   def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
     ##  libxml uses double-quotes, so let's swappo-boppo our quotes before comparing.
     sane = sanitize_html(input).gsub('"',"'")
-    htmloutput.gsub!('"',"'")
-    xhtmloutput.gsub!('"',"'")
-    rexmloutput.gsub!('"',"'")
+    htmloutput = htmloutput.gsub('"',"'")
+    xhtmloutput = xhtmloutput.gsub('"',"'")
+    rexmloutput = rexmloutput.gsub('"',"'")
 
     ##  HTML5's parsers are shit. there's so much inconsistency with what has closing tags, etc, that
     ##  it would require a lot of manual hacking to make the tests match libxml's output.
     ##  instead, I'm taking the shotgun approach, and trying to match any of the described outputs.
     assert((htmloutput == sane) || (rexmloutput == sane) || (xhtmloutput == sane),
@@ -134,11 +134,11 @@
       input = %(<a href="#{protocol.upcase}">foo</a>)
       output = "<a href='#{protocol.upcase}'>foo</a>"
       check_sanitization(input, output, output, output)
     end
   end
-  
+
   HTML5::WhiteList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
     define_method "test_should_allow_data_#{data_uri_type}_uris" do
       input = %(<a href="data:#{data_uri_type}">foo</a>)
       output = "<a href='data:#{data_uri_type}'>foo</a>"
       check_sanitization(input, output, output, output)
@@ -271,9 +271,41 @@
 
   def test_css_negative_value_sanitization_shorthand_css_properties
     html = "<span style=\"margin-left:-0.05em;\">"
     sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
     assert_match %r/-0.05em/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_functions_calc
+    html = "<span style=\"width:calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+
+    html = "<span style=\"width: calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_functions_rgb
+    html = '<span style="color: rgb(255, 0, 0)">'
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/rgb\(255, 0, 0\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_list_style_type
+    html = "<ol style='list-style-type:lower-greek;'></ol>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/list-style-type:lower-greek/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
+    html = "<span style=\"width:attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
+
+    html = "<span style=\"width: attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
   end
 
   def test_issue_90_slow_regex
     skip("timing tests are hard to make pass and have little regression-testing value")