akkoma/test/html_test.exs

# Pleroma: A lightweight social networking server
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.HTMLTest do
  alias Pleroma.HTML
  use Pleroma.DataCase

  @html_sample """
    <b>this is in bold</b>
    <p>this is a paragraph</p>
    this is a linebreak<br />
    this is an image: <img src="http://example.com/image.jpg"><br />
    <script>alert('hacked')</script>
  """

  @html_onerror_sample """
    <img src="http://example.com/image.jpg" onerror="alert('hacked')">
  """

  describe "StripTags scrubber" do
    test "works as expected" do
      expected = """
      this is in bold
        this is a paragraph
        this is a linebreak
        this is an image: 
        alert('hacked')
      """

      assert expected == HTML.strip_tags(@html_sample)
    end

    test "does not allow attribute-based XSS" do
      expected = "\n"

      assert expected == HTML.strip_tags(@html_onerror_sample)
    end
  end

  describe "TwitterText scrubber" do
    test "normalizes HTML as expected" do
      expected = """
      this is in bold
        <p>this is a paragraph</p>
        this is a linebreak<br />
        this is an image: <img src="http://example.com/image.jpg" /><br />
        alert('hacked')
      """

      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
    end

    test "does not allow attribute-based XSS" do
      expected = """
      <img src="http://example.com/image.jpg" />
      """

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
    end
  end

  describe "default scrubber" do
    test "normalizes HTML as expected" do
      expected = """
      <b>this is in bold</b>
        <p>this is a paragraph</p>
        this is a linebreak<br />
        this is an image: <img src="http://example.com/image.jpg" /><br />
        alert('hacked')
      """

      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
    end

    test "does not allow attribute-based XSS" do
      expected = """
      <img src="http://example.com/image.jpg" />
      """

      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
    end
  end
end
tests: add legal boilerplate 2018-12-23 20:11:29 +00:00			`# Pleroma: A lightweight social networking server`
			`# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>`
			`# SPDX-License-Identifier: AGPL-3.0-only`

test: add smoketests for the scrubbing policies 2018-09-22 03:44:19 +00:00			`defmodule Pleroma.HTMLTest do`
			`alias Pleroma.HTML`
			`use Pleroma.DataCase`

			`@html_sample """`
			`<b>this is in bold</b>`
			`<p>this is a paragraph</p>`
			`this is a linebreak<br />`
			`this is an image: <img src="http://example.com/image.jpg"><br />`
			`<script>alert('hacked')</script>`
			`"""`

			`@html_onerror_sample """`
			`<img src="http://example.com/image.jpg" onerror="alert('hacked')">`
			`"""`

			`describe "StripTags scrubber" do`
			`test "works as expected" do`
			`expected = """`
			`this is in bold`
			`this is a paragraph`
			`this is a linebreak`
			`this is an image:`
			`alert('hacked')`
			`"""`

			`assert expected == HTML.strip_tags(@html_sample)`
			`end`

			`test "does not allow attribute-based XSS" do`
			`expected = "\n"`

			`assert expected == HTML.strip_tags(@html_onerror_sample)`
			`end`
			`end`

			`describe "TwitterText scrubber" do`
			`test "normalizes HTML as expected" do`
			`expected = """`
			`this is in bold`
			`<p>this is a paragraph</p>`
			`this is a linebreak<br />`
			`this is an image: <img src="http://example.com/image.jpg" /><br />`
			`alert('hacked')`
			`"""`

			`assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)`
			`end`

			`test "does not allow attribute-based XSS" do`
			`expected = """`
			`<img src="http://example.com/image.jpg" />`
			`"""`

			`assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)`
			`end`
			`end`

			`describe "default scrubber" do`
			`test "normalizes HTML as expected" do`
			`expected = """`
			`<b>this is in bold</b>`
			`<p>this is a paragraph</p>`
			`this is a linebreak<br />`
			`this is an image: <img src="http://example.com/image.jpg" /><br />`
			`alert('hacked')`
			`"""`

			`assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)`
			`end`

			`test "does not allow attribute-based XSS" do`
			`expected = """`
			`<img src="http://example.com/image.jpg" />`
			`"""`

			`assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)`
			`end`
			`end`
			`end`