/spec/whitewash_spec.rb
https://github.com/bejbus/whitewash · Ruby · 99 lines · 84 code · 14 blank · 1 comment · 14 complexity · 050665c0f0fca247d7cf2dd9571bef32 MD5 · raw file
- require File.expand_path('spec/spec_helper')
- describe Whitewash do
- it "loads default whitelist" do
- whitelist = Whitewash.default_whitelist
- whitelist.should be_a_kind_of Hash
- whitelist.should include '_css'
- end
- it "drops <html> and <body> elements" do
- w = Whitewash.new
- input = '<html><head></head><body><p>test</p></body>'
- output = w.sanitize(input)
- output.should == '<p>test</p>'
- end
- it "understands fragments with multiple root elements" do
- w = Whitewash.new
- input = '<p>foo</p><p>bar</p>'
- output = w.sanitize(input)
- output.should == '<p>foo</p><p>bar</p>'
- end
- it "removes <script/> element" do
- w = Whitewash.new
- input = '<p>foo <script type="text/javascript" src="test.js">bar</script> buzz</p>'
- output = w.sanitize(input)
- output.should == '<p>foo <![CDATA[bar]]> buzz</p>'
- end
- it "removes onclick attribute" do
- w = Whitewash.new
- input = '<p>foo <span onlick="test()">bar</span> buzz</p>'
- output = w.sanitize(input)
- output.should == '<p>foo <span>bar</span> buzz</p>'
- end
- it "removes background CSS property" do
- w = Whitewash.new
- input = '<p>foo <span style="background: url(//test/t.js)">bar</span> buzz</p>'
- output = w.sanitize(input)
- output.should == '<p>foo <span>bar</span> buzz</p>'
- end
- it "rewrites HTML when supplied with a block" do
- w = Whitewash.new
- input = '<p>foo <img src="in.jpg"/> buzz</p>'
- output = w.sanitize(input) do |xml|
- if xml.name == 'img'
- xml['src'] = 'out.jpg'
- end
- end
- output.should == '<p>foo <img src="out.jpg" /> buzz</p>'
- end
- it "fixes up invalid markup" do
- w = Whitewash.new
- input = '<p>foo <strong><em>bar</strong></em> buzz</p>'
- output = w.sanitize(input)
- output.should == '<p>foo <strong><em>bar</em></strong> buzz</p>'
- end
- # http://ha.ckers.org/xss.html
- it "catches javascript: in img/src" do
- w = Whitewash.new
- input = %q{<IMG SRC=JaVaScRiPt:alert('XSS')>}
- output = w.sanitize(input)
- output.should == %q{<img />}
- end
- it "handles strings with null in the middle" do
- w = Whitewash.new
- input = %q{<IMG SRC=java\0script:alert("XSS")>}
- output = w.sanitize(input)
- output.should == %q{<img />}
- end
- it "handles extra open brackets" do
- w = Whitewash.new
- input = %q{<<SCRIPT>alert("XSS");//<</SCRIPT>}
- output = w.sanitize(input)
- output.should == '<p>alert("XSS");//</p>'
- end
- it "removes remote stylesheet link" do
- w = Whitewash.new
- input = %q{<P><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></P>}
- output = w.sanitize(input)
- output.should == '<p></p>'
- end
- it "removes XML data island with CDATA obfuscation" do
- w = Whitewash.new
- input = %{<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>}
- output = w.sanitize(input)
- output.should == ']]> <span></span>'
- end
- end