Class SanitizerTest < ActionController::TestCase

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 4
def setup
  @sanitizer = nil # used by assert_sanitizer
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 86
def test_allow_colons_in_path_component
  assert_sanitized("<a href=\"./this:that\">foo</a>")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 46
def test_sanitize_form
  assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 70
def test_sanitize_image_src
  raw = %Q{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
  assert_sanitized raw, %Q{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 65
def test_sanitize_javascript_href
  raw = %Q{href="javascript:bang" <a href="javascript:bang" name="hello">foo</a>, <span href="javascript:bang">bar</span>}
  assert_sanitized raw, %Q{href="javascript:bang" <a name="hello">foo</a>, <span>bar</span>}
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 60
def test_sanitize_js_handlers
  raw = %Q{onthis="do that" <a href="#" onclick="hello" name="foo" onbogus="remove me">hello</a>}
  assert_sanitized raw, %Q{onthis="do that" <a name="foo" href="#">hello</a>}
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 50
def test_sanitize_plaintext
  raw = "<plaintext><span>foo</span></plaintext>"
  assert_sanitized raw, "<span>foo</span>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 55
def test_sanitize_script
  assert_sanitized "a b c<script language=\"Javascript\">blah blah blah</script>d e f", "a b cd e f"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 149
def test_should_accept_good_protocols
  sanitizer = HTML::WhiteListSanitizer.new
  HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
    assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://good")
  end
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 142
def test_should_accept_good_protocols_ignoring_case
  sanitizer = HTML::WhiteListSanitizer.new
  HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
    assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
  end
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 81
def test_should_allow_anchors
  assert_sanitized %Q(<a href="foo" onclick="bar"><script>baz</script></a>), %Q(<a href="foo"></a>)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 105
def test_should_allow_custom_tags
  text = "<u>foo</u>"
  sanitizer = HTML::WhiteListSanitizer.new
  assert_equal(text, sanitizer.sanitize(text, :tags => %w(u)))
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 117
def test_should_allow_custom_tags_with_attributes
  text = %Q(<blockquote cite="http://example.com/">foo</blockquote>)
  sanitizer = HTML::WhiteListSanitizer.new
  assert_equal(text, sanitizer.sanitize(text))
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 123
def test_should_allow_custom_tags_with_custom_attributes
  text = %Q(<blockquote foo="bar">Lorem ipsum</blockquote>)
  sanitizer = HTML::WhiteListSanitizer.new
  assert_equal(text, sanitizer.sanitize(text, :attributes => ['foo']))
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 111
def test_should_allow_only_custom_tags
  text = "<u>foo</u> with <i>bar</i>"
  sanitizer = HTML::WhiteListSanitizer.new
  assert_equal("<u>foo</u> with bar", sanitizer.sanitize(text, :tags => %w(u)))
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 161
def test_should_block_script_tag
  assert_sanitized %Q(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), ""
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 135
def test_should_flag_bad_protocols
  sanitizer = HTML::WhiteListSanitizer.new
  %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto|
    assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
  end
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 100
def test_should_handle_blank_text
  assert_sanitized nil
  assert_sanitized ''
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 96
def test_should_handle_non_html
  assert_sanitized 'abc'
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 207
def test_should_not_fall_for_ridiculous_hack
  img_hack = %Q(<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>)
  assert_sanitized img_hack, "<img>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 277
def test_should_not_mangle_urls_with_ampersand
   assert_sanitized %Q{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 156
def test_should_reject_hex_codes_in_protocol
  assert_sanitized %Q(<a href="&#37;6A&#37;61&#37;76&#37;61&#37;73&#37;63&#37;72&#37;69&#37;70&#37;74&#37;3A&#37;61&#37;6C&#37;65&#37;72&#37;74&#37;28&#37;22&#37;58&#37;53&#37;53&#37;22&#37;29">1</a>), "<a>1</a>"
  assert @sanitizer.send(:contains_bad_protocols?, 'src', "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 260
def test_should_sanitize_across_newlines
  raw = %Q(\nwidth:\nexpression(alert('XSS'));\n)
  assert_equal '', sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 213
def test_should_sanitize_attributes
  assert_sanitized %Q(<SPAN title="'><script>alert()</script>">blah</SPAN>), %Q(<span title="#{CGI.escapeHTML "'><script>alert()</script>"}">blah</span>)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 269
def test_should_sanitize_cdata_section
  assert_sanitized "<![CDATA[<span>section</span>]]>", "&lt;![CDATA[&lt;span>section&lt;/span>]]>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 250
def test_should_sanitize_div_background_image_unicode_encoded
  raw = %Q(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
  assert_equal '', sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 255
def test_should_sanitize_div_style_expression
  raw = %Q(width: expression(alert('XSS'));)
  assert_equal '', sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 203
def test_should_sanitize_half_open_scripts
  assert_sanitized %Q(<IMG SRC="javascript:alert('XSS')"), "<img>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 217
def test_should_sanitize_illegal_style_properties
  raw      = %Q(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
  expected = %Q(display: block; width: 100%; height: 100%; background-color: black; background-image: ; background-x: center; background-y: center;)
  assert_equal expected, sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 246
def test_should_sanitize_img_dynsrc_lowsrc
  assert_sanitized(%Q(<img lowsrc="javascript:alert('XSS')" />), "<img />")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 265
def test_should_sanitize_img_vbscript
  assert_sanitized %Q(<img src='vbscript:msgbox("XSS")' />), '<img />'
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 190
def test_should_sanitize_invalid_script_tag
  assert_sanitized %Q(<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>), ""
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 234
def test_should_sanitize_invalid_tag_names
  assert_sanitized(%Q(a b c<script/XSS src="http://ha.ckers.org/xss.js"></script>d e f), "a b cd e f")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 242
def test_should_sanitize_invalid_tag_names_in_single_tags
  assert_sanitized('<img/src="http://ha.ckers.org/xss.js"/>', "<img />")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 281
def test_should_sanitize_neverending_attribute
  assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 238
def test_should_sanitize_non_alpha_and_non_digit_characters_in_tags
  assert_sanitized('<a onclick!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>foo</a>', "<a>foo</a>")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 194
def test_should_sanitize_script_tag_with_multiple_open_brackets
  assert_sanitized %Q(<<SCRIPT>alert("XSS");//<</SCRIPT>), "&lt;"
  assert_sanitized %Q(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), %Q(&lt;a)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 186
def test_should_sanitize_tag_broken_up_by_null
  assert_sanitized %Q(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), "alert(\"XSS\")"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 199
def test_should_sanitize_unclosed_script
  assert_sanitized %Q(<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>), "<b>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 273
def test_should_sanitize_unterminated_cdata_section
  assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>"
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 223
def test_should_sanitize_with_trailing_space
  raw = "display:block; "
  expected = "display: block;"
  assert_equal expected, sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 229
def test_should_sanitize_xul_style_attributes
  raw = %Q(-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss'))
  assert_equal '', sanitize_css(raw)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 33
def test_strip_links
  sanitizer = HTML::LinkSanitizer.new
  assert_equal "Dont touch me", sanitizer.sanitize("Dont touch me")
  assert_equal "on my mind\nall day long", sanitizer.sanitize("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>")
  assert_equal "0wn3d", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'><a href='http://www.rubyonrails.com/' onlclick='steal()'>0wn3d</a></a>")
  assert_equal "Magic", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
  assert_equal "FrrFox", sanitizer.sanitize("<href onlclick='steal()'>FrrFox</a></href>")
  assert_equal "My mind\nall <b>day</b> long", sanitizer.sanitize("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>")
  assert_equal "all <b>day</b> long", sanitizer.sanitize("<<a>a href='hello'>all <b>day</b> long<</A>/a>")

  assert_equal "<a<a", sanitizer.sanitize("<a<a")
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 15
def test_strip_tags
  sanitizer = HTML::FullSanitizer.new
  assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))
  assert_equal("<<", sanitizer.sanitize("<<<bad html>"))
  assert_equal("Dont touch me", sanitizer.sanitize("Dont touch me"))
  assert_equal("This is a test.", sanitizer.sanitize("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>"))
  assert_equal("Weirdos", sanitizer.sanitize("Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"))
  assert_equal("This is a test.", sanitizer.sanitize("This is a test."))
  assert_equal(
  %Q{This is a test.\n\n\nIt no longer contains any HTML.\n}, sanitizer.sanitize(
  %Q{<title>This is <b>a <a href="" target="_blank">test</a></b>.</title>\n\n<!-- it has a comment -->\n\n<p>It no <b>longer <strong>contains <em>any <strike>HTML</strike></em>.</strong></b></p>\n}))
  assert_equal "This has a  here.", sanitizer.sanitize("This has a <!-- comment --> here.")
  assert_equal "This has a  here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
  assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
  [nil, '', '   '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
  assert_nothing_raised { sanitizer.sanitize("This is a frozen string with no tags".freeze) }
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 8
def test_strip_tags_with_quote
  sanitizer = HTML::FullSanitizer.new
  string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'

  assert_equal ' hi', sanitizer.sanitize(string)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 285
def test_x03a
  assert_sanitized %Q(<a href="javascript&#x3a;alert('XSS');">), "<a>"
  assert_sanitized %Q(<a href="javascript&#x003a;alert('XSS');">), "<a>"
  assert_sanitized %Q(<a href="http&#x3a;//legit">), %Q(<a href="http://legit">)
  assert_sanitized %Q(<a href="javascript&#x3A;alert('XSS');">), "<a>"
  assert_sanitized %Q(<a href="javascript&#x003A;alert('XSS');">), "<a>"
  assert_sanitized %Q(<a href="http&#x3A;//legit">), %Q(<a href="http://legit">)
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 295
def assert_sanitized(input, expected = nil)
  @sanitizer ||= HTML::WhiteListSanitizer.new
  if input
    assert_dom_equal expected || input, @sanitizer.sanitize(input)
  else
    assert_nil @sanitizer.sanitize(input)
  end
end

# File actionpack/test/template/html-scanner/sanitizer_test.rb, line 304
def sanitize_css(input)
  (@sanitizer ||= HTML::WhiteListSanitizer.new).sanitize_css(input)
end