Joey Perrott
@ -13,7 +13,7 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
{
|
||||
describe('HTML sanitizer', () => {
|
||||
let defaultDoc: any;
|
||||
let originalLog: (msg: any) => any = null !;
|
||||
let originalLog: (msg: any) => any = null!;
|
||||
let logMsgs: string[];
|
||||
|
||||
beforeEach(() => {
|
||||
@ -23,7 +23,9 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
console.warn = (msg: any) => logMsgs.push(msg);
|
||||
});
|
||||
|
||||
afterEach(() => { console.warn = originalLog; });
|
||||
afterEach(() => {
|
||||
console.warn = originalLog;
|
||||
});
|
||||
|
||||
it('serializes nested structures', () => {
|
||||
expect(_sanitizeHtml(defaultDoc, '<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>'))
|
||||
@ -36,8 +38,9 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
.toEqual('<p>Hello <br> World</p>');
|
||||
});
|
||||
|
||||
it('supports namespaced elements',
|
||||
() => { expect(_sanitizeHtml(defaultDoc, 'a<my:hr/><my:div>b</my:div>c')).toEqual('abc'); });
|
||||
it('supports namespaced elements', () => {
|
||||
expect(_sanitizeHtml(defaultDoc, 'a<my:hr/><my:div>b</my:div>c')).toEqual('abc');
|
||||
});
|
||||
|
||||
it('supports namespaced attributes', () => {
|
||||
expect(_sanitizeHtml(defaultDoc, '<a xlink:href="something">t</a>'))
|
||||
@ -66,8 +69,9 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
.toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');
|
||||
});
|
||||
|
||||
it('supports sanitizing plain text',
|
||||
() => { expect(_sanitizeHtml(defaultDoc, 'Hello, World')).toEqual('Hello, World'); });
|
||||
it('supports sanitizing plain text', () => {
|
||||
expect(_sanitizeHtml(defaultDoc, 'Hello, World')).toEqual('Hello, World');
|
||||
});
|
||||
|
||||
it('ignores non-element, non-attribute nodes', () => {
|
||||
expect(_sanitizeHtml(defaultDoc, '<!-- comments? -->no.')).toEqual('no.');
|
||||
@ -104,8 +108,9 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
'select',
|
||||
];
|
||||
for (const tag of dangerousTags) {
|
||||
it(tag,
|
||||
() => { expect(_sanitizeHtml(defaultDoc, `<${tag}>evil!</${tag}>`)).toEqual('evil!'); });
|
||||
it(tag, () => {
|
||||
expect(_sanitizeHtml(defaultDoc, `<${tag}>evil!</${tag}>`)).toEqual('evil!');
|
||||
});
|
||||
}
|
||||
|
||||
const dangerousSelfClosingTags = [
|
||||
@ -129,7 +134,9 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||
'template',
|
||||
];
|
||||
for (const tag of dangerousSkipContentTags) {
|
||||
it(tag, () => { expect(_sanitizeHtml(defaultDoc, `<${tag}>evil!</${tag}>`)).toEqual(''); });
|
||||
it(tag, () => {
|
||||
expect(_sanitizeHtml(defaultDoc, `<${tag}>evil!</${tag}>`)).toEqual('');
|
||||
});
|
||||
}
|
||||
|
||||
it(`frame`, () => {
|
||||
|
||||
@ -24,7 +24,9 @@ describe('sanitization', () => {
|
||||
afterEach(() => leaveView());
|
||||
class Wrap {
|
||||
constructor(private value: string) {}
|
||||
toString() { return this.value; }
|
||||
toString() {
|
||||
return this.value;
|
||||
}
|
||||
}
|
||||
it('should sanitize html', () => {
|
||||
expect(ɵɵsanitizeHtml('<div></div>')).toEqual('<div></div>');
|
||||
@ -96,7 +98,7 @@ describe('sanitization', () => {
|
||||
contextsByProp.set(prop, contexts);
|
||||
// check only in case a prop can be a part of both URL contexts
|
||||
if (contexts.size === 2) {
|
||||
expect(getUrlSanitizer(tag, prop)).toEqual(sanitizerNameByContext.get(context) !);
|
||||
expect(getUrlSanitizer(tag, prop)).toEqual(sanitizerNameByContext.get(context)!);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
@ -19,9 +19,13 @@ describe('Style sanitizer', () => {
|
||||
console.warn = (msg: any) => logMsgs.push(msg);
|
||||
});
|
||||
|
||||
afterEach(() => { console.warn = originalLog; });
|
||||
afterEach(() => {
|
||||
console.warn = originalLog;
|
||||
});
|
||||
|
||||
function expectSanitize(v: string) { return expect(_sanitizeStyle(v)); }
|
||||
function expectSanitize(v: string) {
|
||||
return expect(_sanitizeStyle(v));
|
||||
}
|
||||
|
||||
it('sanitizes values', () => {
|
||||
expectSanitize('').toEqual('');
|
||||
@ -31,7 +35,9 @@ describe('Style sanitizer', () => {
|
||||
expectSanitize('expression(haha)').toEqual('unsafe');
|
||||
});
|
||||
|
||||
it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
|
||||
it('rejects unblanaced quotes', () => {
|
||||
expectSanitize('"value" "').toEqual('unsafe');
|
||||
});
|
||||
|
||||
it('accepts transform functions', () => {
|
||||
expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');
|
||||
@ -47,12 +53,17 @@ describe('Style sanitizer', () => {
|
||||
.toEqual('repeating-radial-gradient(ellipse cover, black, red, black, red)');
|
||||
});
|
||||
|
||||
it('accepts attr', () => { expectSanitize('attr(value string)').toEqual('attr(value string)'); });
|
||||
it('accepts attr', () => {
|
||||
expectSanitize('attr(value string)').toEqual('attr(value string)');
|
||||
});
|
||||
|
||||
it('accepts calc', () => { expectSanitize('calc(90%-123px)').toEqual('calc(90%-123px)'); });
|
||||
it('accepts calc', () => {
|
||||
expectSanitize('calc(90%-123px)').toEqual('calc(90%-123px)');
|
||||
});
|
||||
|
||||
it('accepts var',
|
||||
() => { expectSanitize('var(--my-custom-var)').toEqual('var(--my-custom-var)'); });
|
||||
it('accepts var', () => {
|
||||
expectSanitize('var(--my-custom-var)').toEqual('var(--my-custom-var)');
|
||||
});
|
||||
|
||||
it('sanitizes URLs', () => {
|
||||
expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');
|
||||
|
||||
@ -21,7 +21,9 @@ import {_sanitizeUrl, sanitizeSrcset} from '../../src/sanitization/url_sanitizer
|
||||
console.warn = (msg: any) => logMsgs.push(msg);
|
||||
});
|
||||
|
||||
afterEach(() => { console.warn = originalLog; });
|
||||
afterEach(() => {
|
||||
console.warn = originalLog;
|
||||
});
|
||||
|
||||
t.it('reports unsafe URLs', () => {
|
||||
t.expect(_sanitizeUrl('javascript:evil()')).toBe('unsafe:javascript:evil()');
|
||||
@ -113,6 +115,5 @@ import {_sanitizeUrl, sanitizeSrcset} from '../../src/sanitization/url_sanitizer
|
||||
t.it(`valid ${srcset}`, () => t.expect(sanitizeSrcset(srcset)).toMatch(/unsafe:/));
|
||||
}
|
||||
});
|
||||
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user