mirror of
https://github.com/openfoodfoundation/openfoodnetwork
synced 2026-01-25 20:46:48 +00:00
119 lines
3.8 KiB
Ruby
119 lines
3.8 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe HtmlSanitizer do
|
|
subject { described_class }
|
|
|
|
context "when HTML has supported tags" do
|
|
it "keeps supported regular tags" do
|
|
supported_tags = %w[h1 h2 h3 h4 div p b i u a strong em del pre blockquote ul ol li figure]
|
|
supported_tags.each do |tag|
|
|
html = "<#{tag}>Content</#{tag}>"
|
|
sanitized_html = subject.sanitize(html)
|
|
expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
|
|
end
|
|
end
|
|
|
|
it "keeps supported void tags" do
|
|
supported_tags = %w[br hr]
|
|
supported_tags.each do |tag|
|
|
html = "<#{tag}>"
|
|
sanitized_html = subject.sanitize(html)
|
|
expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
|
|
end
|
|
end
|
|
|
|
it "handles nested tags" do
|
|
html = '<div><ul><li>Item 1</li><li><strong>Item 2</strong></li></ul></div>'
|
|
expect(subject.sanitize(html)).to eq(html)
|
|
end
|
|
end
|
|
|
|
context "when HTML has dangerous tags" do
|
|
it "removes script tags" do
|
|
html = "Hello <script>alert</script>!"
|
|
expect(subject.sanitize(html)).to eq "Hello alert!"
|
|
end
|
|
|
|
it "removes iframe tags" do
|
|
html = "Content <iframe src='http://malicious-site.com'></iframe>"
|
|
expect(subject.sanitize(html)).to eq "Content "
|
|
end
|
|
|
|
it "removes object tags" do
|
|
html = "<object data='malicious-file.swf'></object>"
|
|
expect(subject.sanitize(html)).to eq ""
|
|
end
|
|
|
|
it "removes embed tags" do
|
|
html = "<embed src='malicious-video.mp4' type='video/mp4'>"
|
|
expect(subject.sanitize(html)).to eq ""
|
|
end
|
|
|
|
it "removes link tags" do
|
|
html = "<link rel='stylesheet' href='http://malicious-site.com/style.css'>"
|
|
expect(subject.sanitize(html)).to eq ""
|
|
end
|
|
|
|
it "removes base tags" do
|
|
html = "<base href='http://phishing-site.com/'>"
|
|
expect(subject.sanitize(html)).to eq ""
|
|
end
|
|
|
|
it "removes form tags" do
|
|
html = "<form action='http://malicious-site.com/submit' method='post'>...</form>"
|
|
expect(subject.sanitize(html)).to eq "..."
|
|
end
|
|
|
|
it "removes combined dangerous tags" do
|
|
html = "<script>alert</script><iframe scr='http://malicious-site.com'></iframe>"
|
|
expect(subject.sanitize(html)).to eq "alert"
|
|
end
|
|
end
|
|
|
|
context "when HTML has supported attributes" do
|
|
it "keeps supported attributes" do
|
|
html = 'Hello <a href="#focus">alert</a>!'
|
|
expect(subject.sanitize(html))
|
|
.to eq 'Hello <a href="#focus">alert</a>!'
|
|
end
|
|
end
|
|
|
|
context "when HTML has dangerous attributes" do
|
|
it "removes unsupported attributes" do
|
|
html = 'Hello <a href="#focus" onclick="alert">alert</a>!'
|
|
expect(subject.sanitize(html))
|
|
.to eq 'Hello <a href="#focus">alert</a>!'
|
|
end
|
|
|
|
it "removes dangerous attribute values" do
|
|
html = 'Hello <a href="javascript:alert(\"boo!\")">you</a>!'
|
|
expect(subject.sanitize(html))
|
|
.to eq 'Hello <a>you</a>!'
|
|
end
|
|
|
|
it "keeps only Trix-specific data attributes" do
|
|
html = '<figure data-trix-attachment="{...}" data-script="">...</figure>'
|
|
expect(subject.sanitize(html)).to eq('<figure data-trix-attachment="{...}">...</figure>')
|
|
end
|
|
end
|
|
|
|
context "when HTML has links" do
|
|
describe "#sanitize" do
|
|
it "doesn't add target blank to links" do
|
|
html = '<a href="https://example.com">Link</a>'
|
|
expect(subject.sanitize(html)).to eq('<a href="https://example.com">Link</a>')
|
|
end
|
|
end
|
|
|
|
describe "#sanitize_and_enforece_link_target_blank" do
|
|
it "adds target blank to links so they open in new windows" do
|
|
html = '<a href="https://example.com">Link</a>'
|
|
expect(subject.sanitize_and_enforce_link_target_blank(html))
|
|
.to eq('<a href="https://example.com" target="_blank">Link</a>')
|
|
end
|
|
end
|
|
end
|
|
end
|