This repository was archived by the owner on Sep 13, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpurifyHtml.test.js
More file actions
104 lines (87 loc) · 3.62 KB
/
Copy pathpurifyHtml.test.js
File metadata and controls
104 lines (87 loc) · 3.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
import test from 'ava';
import purifyHtml from './purifyHtml.js';
test('purifyHtml return same string if no tags present', t => {
t.is(purifyHtml('Hello world'), 'Hello world');
});
test('return same string if no tags present', t => {
t.is(purifyHtml('Hello world'), 'Hello world');
});
test('should remove some tags, but keep others', t => {
t.is(purifyHtml('<h1><b>Hello</b> World</h1>'), '<b>Hello</b> World');
});
test('should not crash if input is not a string', t => {
t.notThrows(() => purifyHtml(null));
t.notThrows(() => purifyHtml(undefined));
t.notThrows(() => purifyHtml(42));
t.notThrows(() => purifyHtml({ foo: 'bar' }));
});
test('should return the input value if undefined or null', t => {
t.is(purifyHtml(null), null);
t.is(purifyHtml(undefined), undefined);
});
test('should remove script tags', t => {
t.is(purifyHtml('<script>alert("foo")</script>'), 'alert("foo")');
});
test('should keep script tags if we explicitly allow it', t => {
t.is(purifyHtml('<script>alert("foo")</script>', '<script>'), '<script>alert("foo")</script>');
});
test('links get target="_blank" and rel="" set automatically', t => {
t.is(
purifyHtml('check out <a href="https://example.com">this link</a>!'),
'check out <a href="https://example.com" target="_blank" rel="nofollow noopener noreferrer">this link</a>!'
);
});
test('links with existing target != _self get overwritten', t => {
t.is(
purifyHtml('check out <a href="https://example.com" target="_parent">this link</a>!'),
'check out <a href="https://example.com" target="_blank" rel="nofollow noopener noreferrer">this link</a>!'
);
});
test('links with existing target _self dont get overwritten', t => {
t.is(
purifyHtml('check out <a href="https://example.com" target="_self">this link</a>!'),
'check out <a href="https://example.com" target="_self" rel="nofollow noopener noreferrer">this link</a>!'
);
});
test('test if styles are kept in', t => {
t.is(
purifyHtml('this is <span style="color:red">red</span>!'),
'this is <span style="color:red">red</span>!'
);
});
test('test if onclick handlers are removed', t => {
t.is(
purifyHtml('<a href="https://example.com" onclick="alert(42)">click me!</a>'),
'<a href="https://example.com" target="_blank" rel="nofollow noopener noreferrer">click me!</a>'
);
});
test('test if javascript urls are removed', t => {
t.is(
purifyHtml('<a href="javascript:alert(42)">click me!</a>'),
'<a href="" target="_blank" rel="nofollow noopener noreferrer">click me!</a>'
);
});
test('test if multiple on* handlers are removed', t => {
t.is(
purifyHtml('<span onmouseover="diversion" onclick="alert(document.domain)">span</span>'),
'<span>span</span>'
);
});
test('javascript link with special chars', t => {
t.is(
purifyHtml(
'<a href="ja	va
script:alert(document.domain)" target="_self">link</a>'
),
'<a href="" target="_self" rel="nofollow noopener noreferrer">link</a>'
);
});
test('prevent unclosed tag exploit', t => {
const el = document.createElement('p');
const purified = purifyHtml('<img src=x onerror=alert(1);"" onload="a="');
el.innerHTML = `<span>${purified}</span>`;
t.is(el.childNodes[0].tagName, 'SPAN');
t.is(el.childNodes[0].innerHTML, '<img src="x" <="" span="">');
t.is(el.childNodes[0].childNodes[0].tagName, 'IMG');
t.is(el.childNodes[0].childNodes[0].getAttribute('onerror'), null);
t.is(el.childNodes[0].childNodes[0].getAttribute('onload'), null);
});