No OneTemporary
Actions

Size

26 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
	index 08344d2..533c5ba 100644
	--- a/.gitlab-ci.yml
	+++ b/.gitlab-ci.yml
	@@ -1,36 +1,37 @@
	-image: elixir:1.9
	+image: elixir:1.9-alpine

	variables:
	MIX_ENV: test

	cache:
	key: ${CI_COMMIT_REF_SLUG}
	paths:
	- deps
	- _build

	stages:
	- test
	- publish

	before_script:
	+ - apk add elixir build-base cmake
	- mix local.hex --force
	- mix local.rebar --force
	- mix deps.get
	- mix compile --force

	lint:
	stage: test
	script:
	- mix format --check-formatted

	unit-testing:
	stage: test
	coverage: '/(\d+\.\d+\%) \\| Total/'
	script:
	- mix test --trace --preload-modules --cover

	analysis:
	stage: test
	script:
	- mix credo --strict --only=warnings,todo,fixme,consistency,readability
	diff --git a/CHANGELOG.md b/CHANGELOG.md
	new file mode 100644
	index 0000000..a67b1e8
	--- /dev/null
	+++ b/CHANGELOG.md
	@@ -0,0 +1,8 @@
	+# Changelog
	+All notable changes to this project will be documented in this file.
	+
	+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
	+
	+## [0.2.0] - 2020-08-07
	+### Changed
	+- Breaking: CMake is now required at build-time due to a switch to [fast_html 2.0](https://hexdocs.pm/fast_html/changelog.html#2-0-0-2020-08-01)
	diff --git a/lib/fast_sanitize/fragment.ex b/lib/fast_sanitize/fragment.ex
	index cf8f8cc..ad9125e 100644
	--- a/lib/fast_sanitize/fragment.ex
	+++ b/lib/fast_sanitize/fragment.ex
	@@ -1,79 +1,79 @@
	defmodule FastSanitize.Fragment do
	@moduledoc "Processing of HTML fragment trees."

	import Plug.HTML, only: [html_escape_to_iodata: 1]

	def to_tree(bin) do
	- with {:ok, [{:html, _, fragment}]} <-
	+ with {:ok, fragment} <-
	:fast_html.decode_fragment(bin,
	format: [:nil_self_closing, :comment_tuple3, :html_atoms]
	) do
	{:ok, fragment}
	else
	e ->
	{:error, e}
	end
	end

	defp build_attr_chunks([]), do: ""

	defp build_attr_chunks(attrs) do
	List.foldr(attrs, [], fn {k, v}, iodata ->
	[[" ", html_escape_to_iodata(k), "=\"", html_escape_to_iodata(v), "\""] \| iodata]
	end)
	end

	defp build_self_closing_tag(tag, attrs),
	do: ["<", to_string(tag), build_attr_chunks(attrs), "/>"]

	defp build_start_tag(tag, []),
	do: ["<", to_string(tag), ">"]

	defp build_start_tag(tag, attrs),
	do: ["<", to_string(tag), build_attr_chunks(attrs), ">"]

	# text node
	defp fragment_to_html("" <> _ = text, _), do: html_escape_to_iodata(text)

	# empty tuple - fragment was clobbered, return nothing
	defp fragment_to_html(nil, _), do: ""

	defp fragment_to_html({}, _), do: ""

	# comment node
	defp fragment_to_html({:comment, _, text}, _), do: ["<!--", text, "-->"]

	# a node which can never accept children will have nil instead of a subtree
	defp fragment_to_html({tag, attrs, nil}, _), do: build_self_closing_tag(tag, attrs)

	# every other case, assume a subtree
	defp fragment_to_html({tag, attrs, subtree}, scrubber) do
	start_tag = build_start_tag(tag, attrs)
	subtree = subtree_to_iodata(subtree, scrubber)
	[start_tag, subtree, "</", to_string(tag), ">"]
	end

	# bare subtree
	defp fragment_to_html([], _), do: ""

	defp fragment_to_html([_head \| _tail] = subtree, scrubber) do
	subtree_to_iodata(subtree, scrubber)
	end

	defp subtree_to_html([], _), do: {:ok, ""}

	defp subtree_to_html(tree, scrubber) do
	iodata = subtree_to_iodata(tree, scrubber)
	rendered = :erlang.iolist_to_binary(iodata)
	{:ok, rendered}
	end

	defp subtree_to_iodata(tree, scrubber) do
	List.foldr(tree, [], fn node, iodata ->
	[fragment_to_html(scrubber.scrub(node), scrubber) \| iodata]
	end)
	end

	def to_html(tree, scrubber \\ FastSanitize.Sanitizer.Dummy),
	do: subtree_to_html(tree, scrubber)
	end
	diff --git a/mix.exs b/mix.exs
	index 62a8084..026bcf5 100644
	--- a/mix.exs
	+++ b/mix.exs
	@@ -1,49 +1,54 @@
	defmodule FastSanitize.MixProject do
	use Mix.Project

	def project do
	[
	app: :fast_sanitize,
	- version: "0.1.7",
	+ version: "0.2.0",
	elixir: "~> 1.7",
	start_permanent: Mix.env() == :prod,
	deps: deps(),
	package: package(),
	description: """
	A module that provides performant and memory-efficient HTML sanitization.
	Largely drop-in compatible with HtmlSanitizeEx.
	- """
	+ """,
	+ docs: docs()
	]
	end

	def package do
	[
	maintainers: ["rinpatch", "Ariadne Conill"],
	licenses: ["MIT"],
	links: %{
	"GitLab" => "https://git.pleroma.social/pleroma/fast_sanitize",
	"Issues" => "https://git.pleroma.social/pleroma/fast_sanitize/issues"
	}
	]
	end

	# Run "mix help compile.app" to learn about applications.
	def application do
	[
	extra_applications: [:logger]
	]
	end

	# Run "mix help deps" to learn about dependencies.
	defp deps do
	[
	{:plug, "~> 1.8"},
	- {:fast_html, "~> 1.0"},
	+ {:fast_html, "~> 2.0"},
	{:credo, "~> 1.0.0", only: [:dev, :test], runtime: false},
	{:benchee, "~> 1.0", only: :bench},
	{:html_sanitize_ex, "~> 1.3.0-rc3", only: :bench},
	{:ex_doc, "~> 0.19", only: :dev, runtime: false},
	{:dialyxir, "~> 1.0.0-rc.5", only: [:dev], runtime: false}
	]
	end
	+
	+ defp docs do
	+ [extras: ["CHANGELOG.md"]]
	+ end
	end
	diff --git a/mix.lock b/mix.lock
	index a590997..204f0ab 100644
	--- a/mix.lock
	+++ b/mix.lock
	@@ -1,20 +1,22 @@
	%{
	- "benchee": {:hex, :benchee, "1.0.1", "66b211f9bfd84bd97e6d1beaddf8fc2312aaabe192f776e8931cb0c16f53a521", [:mix], [{:deep_merge, "~> 1.0", [hex: :deep_merge, repo: "hexpm", optional: false]}], "hexpm"},
	- "bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm"},
	- "credo": {:hex, :credo, "1.0.5", "fdea745579f8845315fe6a3b43e2f9f8866839cfbc8562bb72778e9fdaa94214", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm"},
	- "deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm"},
	- "dialyxir": {:hex, :dialyxir, "1.0.0-rc.7", "6287f8f2cb45df8584317a4be1075b8c9b8a69de8eeb82b4d9e6c761cf2664cd", [:mix], [{:erlex, ">= 0.2.5", [hex: :erlex, repo: "hexpm", optional: false]}], "hexpm"},
	- "earmark": {:hex, :earmark, "1.4.2", "3aa0bd23bc4c61cf2f1e5d752d1bb470560a6f8539974f767a38923bb20e1d7f", [:mix], [], "hexpm"},
	- "erlex": {:hex, :erlex, "0.2.5", "e51132f2f472e13d606d808f0574508eeea2030d487fc002b46ad97e738b0510", [:mix], [], "hexpm"},
	- "ex_doc": {:hex, :ex_doc, "0.21.2", "caca5bc28ed7b3bdc0b662f8afe2bee1eedb5c3cf7b322feeeb7c6ebbde089d6", [:mix], [{:earmark, "~> 1.3.3 or ~> 1.4", [hex: :earmark, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}], "hexpm"},
	- "fast_html": {:hex, :fast_html, "1.0.2", "b2a32022741699421e90762ce904cacb4faf12c10129acc3674262dd7fa5d2b6", [:make, :mix], [], "hexpm"},
	- "html_sanitize_ex": {:hex, :html_sanitize_ex, "1.3.0", "f005ad692b717691203f940c686208aa3d8ffd9dd4bb3699240096a51fa9564e", [:mix], [{:mochiweb, "~> 2.15", [hex: :mochiweb, repo: "hexpm", optional: false]}], "hexpm"},
	- "jason": {:hex, :jason, "1.1.2", "b03dedea67a99223a2eaf9f1264ce37154564de899fd3d8b9a21b1a6fd64afe7", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
	- "makeup": {:hex, :makeup, "1.0.0", "671df94cf5a594b739ce03b0d0316aa64312cee2574b6a44becb83cd90fb05dc", [:mix], [{:nimble_parsec, "~> 0.5.0", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm"},
	- "makeup_elixir": {:hex, :makeup_elixir, "0.14.0", "cf8b7c66ad1cff4c14679698d532f0b5d45a3968ffbcbfd590339cb57742f1ae", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm"},
	- "mime": {:hex, :mime, "1.3.1", "30ce04ab3175b6ad0bdce0035cba77bba68b813d523d1aac73d9781b4d193cf8", [:mix], [], "hexpm"},
	- "mochiweb": {:hex, :mochiweb, "2.18.0", "eb55f1db3e6e960fac4e6db4e2db9ec3602cc9f30b86cd1481d56545c3145d2e", [:rebar3], [], "hexpm"},
	- "nimble_parsec": {:hex, :nimble_parsec, "0.5.1", "c90796ecee0289dbb5ad16d3ad06f957b0cd1199769641c961cfe0b97db190e0", [:mix], [], "hexpm"},
	- "plug": {:hex, :plug, "1.8.3", "12d5f9796dc72e8ac9614e94bda5e51c4c028d0d428e9297650d09e15a684478", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm"},
	- "plug_crypto": {:hex, :plug_crypto, "1.0.0", "18e49317d3fa343f24620ed22795ec29d4a5e602d52d1513ccea0b07d8ea7d4d", [:mix], [], "hexpm"},
	+ "benchee": {:hex, :benchee, "1.0.1", "66b211f9bfd84bd97e6d1beaddf8fc2312aaabe192f776e8931cb0c16f53a521", [:mix], [{:deep_merge, "~> 1.0", [hex: :deep_merge, repo: "hexpm", optional: false]}], "hexpm", "3ad58ae787e9c7c94dd7ceda3b587ec2c64604563e049b2a0e8baafae832addb"},
	+ "bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm", "7af5c7e09fe1d40f76c8e4f9dd2be7cebd83909f31fee7cd0e9eadc567da8353"},
	+ "credo": {:hex, :credo, "1.0.5", "fdea745579f8845315fe6a3b43e2f9f8866839cfbc8562bb72778e9fdaa94214", [:mix], [{:bunt, "~> 0.2.0", [hex: :bunt, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "16105fac37c5c4b3f6e1f70ba0784511fec4275cd8bb979386e3c739cf4e6455"},
	+ "deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm", "ce708e5f094b9cd4e8f2be4f00d2f4250c4095be93f8cd6d018c753894885430"},
	+ "dialyxir": {:hex, :dialyxir, "1.0.0-rc.7", "6287f8f2cb45df8584317a4be1075b8c9b8a69de8eeb82b4d9e6c761cf2664cd", [:mix], [{:erlex, ">= 0.2.5", [hex: :erlex, repo: "hexpm", optional: false]}], "hexpm", "506294d6c543e4e5282d4852aead19ace8a35bedeb043f9256a06a6336827122"},
	+ "earmark": {:hex, :earmark, "1.4.2", "3aa0bd23bc4c61cf2f1e5d752d1bb470560a6f8539974f767a38923bb20e1d7f", [:mix], [], "hexpm", "5e8806285d8a3a8999bd38e4a73c58d28534c856bc38c44818e5ba85bbda16fb"},
	+ "elixir_make": {:hex, :elixir_make, "0.6.0", "38349f3e29aff4864352084fc736fa7fa0f2995a819a737554f7ebd28b85aaab", [:mix], [], "hexpm", "d522695b93b7f0b4c0fcb2dfe73a6b905b1c301226a5a55cb42e5b14d509e050"},
	+ "erlex": {:hex, :erlex, "0.2.5", "e51132f2f472e13d606d808f0574508eeea2030d487fc002b46ad97e738b0510", [:mix], [], "hexpm", "756d3e19b056339af674b715fdd752c5dac468cf9d0e2d1a03abf4574e99fbf8"},
	+ "ex_doc": {:hex, :ex_doc, "0.21.2", "caca5bc28ed7b3bdc0b662f8afe2bee1eedb5c3cf7b322feeeb7c6ebbde089d6", [:mix], [{:earmark, "~> 1.3.3 or ~> 1.4", [hex: :earmark, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}], "hexpm", "f1155337ae17ff7a1255217b4c1ceefcd1860b7ceb1a1874031e7a861b052e39"},
	+ "fast_html": {:hex, :fast_html, "2.0.1", "e126c74d287768ae78c48938da6711164517300d108a78f8a38993df8d588335", [:make, :mix], [{:elixir_make, "~> 0.4", [hex: :elixir_make, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 0.1.0", [hex: :nimble_pool, repo: "hexpm", optional: false]}], "hexpm", "bdd6f8525c95ad391a4f10d9a1b3da4cea94078ec8638487aa8c24015ad9393a"},
	+ "html_sanitize_ex": {:hex, :html_sanitize_ex, "1.3.0", "f005ad692b717691203f940c686208aa3d8ffd9dd4bb3699240096a51fa9564e", [:mix], [{:mochiweb, "~> 2.15", [hex: :mochiweb, repo: "hexpm", optional: false]}], "hexpm", "abfb393ad888d57700f4d0f119c2643c8a9d98856f9b8a92001be7efad1419d6"},
	+ "jason": {:hex, :jason, "1.1.2", "b03dedea67a99223a2eaf9f1264ce37154564de899fd3d8b9a21b1a6fd64afe7", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "fdf843bca858203ae1de16da2ee206f53416bbda5dc8c9e78f43243de4bc3afe"},
	+ "makeup": {:hex, :makeup, "1.0.0", "671df94cf5a594b739ce03b0d0316aa64312cee2574b6a44becb83cd90fb05dc", [:mix], [{:nimble_parsec, "~> 0.5.0", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "a10c6eb62cca416019663129699769f0c2ccf39428b3bb3c0cb38c718a0c186d"},
	+ "makeup_elixir": {:hex, :makeup_elixir, "0.14.0", "cf8b7c66ad1cff4c14679698d532f0b5d45a3968ffbcbfd590339cb57742f1ae", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "d4b316c7222a85bbaa2fd7c6e90e37e953257ad196dc229505137c5e505e9eff"},
	+ "mime": {:hex, :mime, "1.3.1", "30ce04ab3175b6ad0bdce0035cba77bba68b813d523d1aac73d9781b4d193cf8", [:mix], [], "hexpm", "6cbe761d6a0ca5a31a0931bf4c63204bceb64538e664a8ecf784a9a6f3b875f1"},
	+ "mochiweb": {:hex, :mochiweb, "2.18.0", "eb55f1db3e6e960fac4e6db4e2db9ec3602cc9f30b86cd1481d56545c3145d2e", [:rebar3], [], "hexpm", "b93e2b1e564bdbadfecc297277f9e6d0902da645b417d6c9210f6038ac63489a"},
	+ "nimble_parsec": {:hex, :nimble_parsec, "0.5.1", "c90796ecee0289dbb5ad16d3ad06f957b0cd1199769641c961cfe0b97db190e0", [:mix], [], "hexpm", "00e3ebdc821fb3a36957320d49e8f4bfa310d73ea31c90e5f925dc75e030da8f"},
	+ "nimble_pool": {:hex, :nimble_pool, "0.1.0", "ffa9d5be27eee2b00b0c634eb649aa27f97b39186fec3c493716c2a33e784ec6", [:mix], [], "hexpm", "343a1eaa620ddcf3430a83f39f2af499fe2370390d4f785cd475b4df5acaf3f9"},
	+ "plug": {:hex, :plug, "1.8.3", "12d5f9796dc72e8ac9614e94bda5e51c4c028d0d428e9297650d09e15a684478", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "164baaeb382d19beee0ec484492aa82a9c8685770aee33b24ec727a0971b34d0"},
	+ "plug_crypto": {:hex, :plug_crypto, "1.0.0", "18e49317d3fa343f24620ed22795ec29d4a5e602d52d1513ccea0b07d8ea7d4d", [:mix], [], "hexpm", "73c1682f0e414cfb5d9b95c8e8cd6ffcfdae699e3b05e1db744e58b7be857759"},
	}
	diff --git a/test/basic_html_test.exs b/test/basic_html_test.exs
	index cc13236..8068ce0 100644
	--- a/test/basic_html_test.exs
	+++ b/test/basic_html_test.exs
	@@ -1,353 +1,353 @@
	defmodule FastSanitize.Sanitizer.BasicHTMLTest do
	use ExUnit.Case

	defp basic_html_sanitize(text) do
	{:ok, text} = FastSanitize.basic_html(text)
	text
	end

	test "strips nothing" do
	input = "This <b>is</b> <b>an</b> <i>example</i> of <u>space</u> eating."
	expected = "This <b>is</b> <b>an</b> <i>example</i> of <u>space</u> eating."
	assert expected == basic_html_sanitize(input)
	end

	test "does strip language class from code tag" do
	input = "<code class=\"ruby\">Something.new</code>"
	expected = "<code>Something.new</code>"
	assert expected == basic_html_sanitize(input)
	end

	test "strips everything except the allowed tags" do
	input = "<h1>hello <script>code!</script></h1>"
	expected = "<h1>hello code!</h1>"
	assert expected == basic_html_sanitize(input)
	end

	test "strips everything except the allowed tags (for multiple tags)" do
	input =
	"<section><header><script>code!</script></header><p>hello <script>code!</script></p></section>"

	expected = "code!<p>hello code!</p>"
	assert expected == basic_html_sanitize(input)
	end

	test "strips everything for faulty allowed_tags: key" do
	input = "<h1>hello<h1>"
	expected = "hello"
	assert expected != basic_html_sanitize(input)
	end

	test "strips invalid html" do
	input = "<<<bad html"
	expected = "<<"
	assert expected == basic_html_sanitize(input)
	end

	test "strips tags with quote" do
	input = "<\" <img src=\"trollface.gif\" onload=\"alert(1)\"> hi"

	assert "<" <img src=\"trollface.gif\"/> hi" ==
	basic_html_sanitize(input)
	end

	test "strips nested tags" do
	input = "Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"
	expected = "Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos"
	assert expected == basic_html_sanitize(input)
	end

	test "strips certain tags in multi line strings" do
	input =
	"<title>This is <b>a <a href=\"\" target=\"_blank\">test</a></b>.</title>\n\n<!-- it has a comment -->\n\n<p>It no <b>longer <strong>contains <em>any <strike>HTML</strike></em>.</strong></b></p>\n"

	expected =
	"This is <b>a <a href="" target="_blank">test</a></b>.\n\n\n\n<p>It no <b>longer <strong>contains <em>any HTML</em>.</strong></b></p>\n"

	assert expected == basic_html_sanitize(input)
	end

	test "strips blank string" do
	assert "" == basic_html_sanitize("")
	assert "" == basic_html_sanitize(nil)
	end

	test "strips nothing from plain text" do
	input = "Dont touch me"
	expected = "Dont touch me"
	assert expected == basic_html_sanitize(input)
	end

	test "strips nothing from a sentence" do
	input = "This is a test."
	expected = "This is a test."
	assert expected == basic_html_sanitize(input)
	end

	test "strips tags with comment" do
	input = "This has a <!-- comment --> here."
	expected = "This has a here."
	assert expected == basic_html_sanitize(input)
	end

	test "strip_tags escapes special characters" do
	assert "&", basic_html_sanitize("&")
	end

	# link sanitizer

	test "test_strip_links_with_tags_in_tags" do
	input = "<<a>a href='hello'>all <b>day</b> long<</A>/a>"
	expected = "<<a>a href='hello'>all <b>day</b> long<</a>/a>"
	assert expected == basic_html_sanitize(input)
	end

	test "test_strip_links_with_plaintext" do
	assert "Dont touch me" == basic_html_sanitize("Dont touch me")
	end

	@tag href_scrubbing: true
	test "test_strip_links_with_line_feed_and_uppercase_tag" do
	input = "<a href='almost'>on my mind</a> <A href='almost'>all day long</A>"

	assert ~s(<a href="almost">on my mind</a> <a href="almost">all day long</a>) ==
	basic_html_sanitize(input)
	end

	@tag href_scrubbing: true
	test "test_strip_links_leaves_nonlink_tags" do
	assert ~s(<a href="almost">My mind</a>\n<a href="almost">all <b>day</b> long</a>) ==
	basic_html_sanitize(
	"<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>"
	)
	end

	@tag href_scrubbing: true
	test "strips tags with basic_html_sanitize/1" do
	input = "<p>This <u>is</u> a <a href='test.html'><strong>test</strong></a>.</p>"

	assert "<p>This <u>is</u> a <a href=\"test.html\"><strong>test</strong></a>.</p>" ==
	basic_html_sanitize(input)
	end

	@a_href_hacks [
	"<a href=\"javascript:alert('XSS');\">text here</a>",
	"<a href=javascript:alert('XSS')>text here</a>",
	"<a href=javascript:alert("XSS")>text here</a>",
	"<a href=javascript:alert(String.fromCharCode(88,83,83))>text here</a>"
	]

	@tag href_scrubbing: true
	test "strips malicious protocol hacks from a href attribute" do
	expected = "<a>text here</a>"

	Enum.each(@a_href_hacks, fn x ->
	assert expected == basic_html_sanitize(x)
	end)
	end

	@tag href_scrubbing: true
	test "does not strip x03a legitimate" do
	assert "<a href=\"http://legit\"></a>" ==
	basic_html_sanitize("<a href=\"http://legit\">")

	assert "<a href=\"http://legit\"></a>" ==
	basic_html_sanitize("<a href=\"http://legit\">")
	end

	test "test_strip links with links" do
	input =
	"<a href='http://www.elixirstatus.com/'><a href='http://www.elixirstatus.com/' onlclick='steal()'>0wn3d</a></a>"

	assert ~s(<a href="http://www.elixirstatus.com/"></a><a href="http://www.elixirstatus.com/">0wn3d</a>) ==
	basic_html_sanitize(input)
	end

	test "test_strip_links_with_linkception" do
	assert ~s(<a href="http://www.elixirstatus.com/">Mag</a><a href="http://www.elixir-lang.org/">ic</a>) ==
	basic_html_sanitize(
	"<a href='http://www.elixirstatus.com/'>Mag<a href='http://www.elixir-lang.org/'>ic"
	)
	end

	test "test_strip_links_with_a_tag_in_href" do
	assert "FrrFox" ==
	basic_html_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
	end

	test "normal scrubbing does only allow certain tags and attributes" do
	input = "<span data-foo=\"bar\">foo</span>"
	expected = "<span>foo</span>"
	assert expected == basic_html_sanitize(input)
	end

	test "strips not allowed attributes" do
	input = "start <a title=\"1\" onclick=\"foo\">foo <bad>bar</bad> baz</a> end"

	expected = "start <a title=\"1\">foo bar baz</a> end"
	assert expected == basic_html_sanitize(input)
	end

	test "sanitize_script" do
	assert "a b cblah blah blahd e f" ==
	basic_html_sanitize(
	"a b c<script language=\"Javascript\">blah blah blah</script>d e f"
	)
	end

	@tag href_scrubbing: true
	test "sanitize_js_handlers" do
	input =
	~s(onthis="do that" <a href="#" onclick="hello" name="foo" onbogus="remove me">hello</a>)

	assert ~s(onthis="do that" <a href="#" name="foo">hello</a>) ==
	basic_html_sanitize(input)
	end

	test "sanitize_javascript_href" do
	raw =
	~s(href="javascript:bang" <a href="javascript:bang" name="hello">foo</a>, <span href="javascript:bang">bar</span>)

	assert ~s(href="javascript:bang" <a name="hello">foo</a>, <span>bar</span>) ==
	basic_html_sanitize(raw)
	end

	test "sanitize_image_src" do
	raw =
	~s(src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>)

	assert "src="javascript:bang" <img width=\"5\"/>foo, <span>bar</span>" ==
	basic_html_sanitize(raw)
	end

	@tag href_scrubbing: true
	test "should only allow http/https protocols" do
	assert "<a href=\"foo\">baz</a>" ==
	basic_html_sanitize(~s(<a href="foo" onclick="bar"><script>baz</script></a>))

	assert "<a href=\"http://example.com\">baz</a>" ==
	basic_html_sanitize(
	~s(<a href="http://example.com" onclick="bar"><script>baz</script></a>)
	)

	assert "<a href=\"https://example.com\">baz</a>" ==
	basic_html_sanitize(
	~s(<a href="https://example.com" onclick="bar"><script>baz</script></a>)
	)
	end

	# test "video_poster_sanitization" do
	# assert ~s(<video src="videofile.ogg" autoplay poster="posterimage.jpg"></video>) == ~s(<video src="videofile.ogg" poster="posterimage.jpg"></video>)
	# assert ~s(<video src="videofile.ogg"></video>) == basic_html_sanitize("<video src=\"videofile.ogg\" poster=javascript:alert(1)></video>")
	# end

	test "strips not allowed tags " do
	input = "<form><u></u></form>"
	expected = "<u></u>"
	assert expected == basic_html_sanitize(input)
	end

	test "strips not allowed attributes " do
	input = "<a foo=\"hello\" bar=\"world\"></a>"
	expected = "<a></a>"
	assert expected == basic_html_sanitize(input)
	end

	@image_src_hacks [
	"<IMG SRC=\"javascript:alert('XSS');\">",
	"<IMG SRC=javascript:alert('XSS')>",
	"<IMG SRC=JaVaScRiPt:alert('XSS')>",
	"<IMG SRC=javascript:alert("XSS")>",
	"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>"
	]

	test "strips malicious protocol hacks from img src attribute" do
	expected = "<img/>"

	Enum.each(@image_src_hacks, fn x ->
	assert expected == basic_html_sanitize(x)
	end)
	end

	test "strips script tag" do
	input = "<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>"
	expected = ""
	assert expected == basic_html_sanitize(input)
	end

	test "strips xss image hack with uppercase tags" do
	input = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"
	expected = "<img/>alert("XSS")">"
	assert expected == basic_html_sanitize(input)
	end

	test "should_sanitize_tag_broken_up_by_null" do
	assert "alert("XSS")" ==
	basic_html_sanitize("<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>")
	end

	test "should_sanitize_invalid_script_tag" do
	input = "<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"
	assert "" == basic_html_sanitize(input)
	end

	test "sanitize half open scripts" do
	input = "<IMG SRC=\"javascript:alert('XSS')\""
	- assert "<img/>" == basic_html_sanitize(input)
	+ assert "" == basic_html_sanitize(input)
	end

	test "should_sanitize_within attributes" do
	input = "<span title=\"'><script>alert()</script>\">blah</span>"

	assert "<span>blah</span>" == basic_html_sanitize(input)
	end

	test "should_sanitize_invalid_tag_names" do
	end

	test "should_sanitize_non_alpha_and_non_digit_characters_in_tags" do
	assert "<a>foo</a>" ==
	basic_html_sanitize("<a onclick!@#$%^&*='alert(\"XSS\")'>foo</a>")
	end

	test "should_sanitize_invalid_tag_names_in_single_tags" do
	assert "<img/>" ==
	basic_html_sanitize("<img/src=\"javascript:alert('XSS')\"/>")
	end

	test "should_sanitize_img_dynsrc_lowsrc" do
	assert "<img/>" ==
	basic_html_sanitize("<img lowsrc=\"javascript:alert('XSS')\" />")
	end

	test "should_sanitize_img_vbscript" do
	assert "<img/>" ==
	basic_html_sanitize("<img src='vbscript:msgbox(\"XSS\")' />")
	end

	test "should_not_mangle_urls_with_ampersand" do
	input = "<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>"
	assert input == basic_html_sanitize(input)
	end

	test "should_not_crash_on_invalid_schema_formatting_2" do
	input = "<a href=\"ftp://www.domain.com/http%3A//\">text here</a>"
	assert "<a>text here</a>" == basic_html_sanitize(input)
	end

	test "should_sanitize_neverending_attribute" do
	assert "" == basic_html_sanitize("<span class=\"\\")
	end

	# test "this affects only NS4, but we're on a roll, right?" do
	# input = "<div size=\"&{alert('XSS')}\">foo</div>"
	# expected = "<div>foo</div>"
	# assert expected == basic_html_sanitize(input)
	# end

	test "does not strip the mailto URI scheme" do
	input = ~s(<a href="mailto:someone@yoursite.com">Email Us</a>)
	expected = ~s(<a href="mailto:someone@yoursite.com">Email Us</a>)
	assert expected == basic_html_sanitize(input)
	end
	end

File Metadata

Mime Type: text/x-diff
Expires: Tue, Nov 26, 1:03 PM (1 d, 13 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 40307
Default Alt Text: (26 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions