Merge branch 'feature/html-scrub-policy-tests' into 'develop'

html: add scrub policy tests See merge request pleroma/pleroma!356
2018-09-22 03:50:39 +00:00 · 2018-09-22 03:50:39 +00:00 · 3193423be9
commit 3193423be9
parent 7e12ef0ab0 85b59d07b6
2 changed files with 82 additions and 0 deletions
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@ -69,6 +69,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
      "alt"
    ])
  end
+
+  Meta.strip_everything_not_covered()
 end

 defmodule Pleroma.HTML.Scrubber.Default do
--- a/test/html_test.exs
+++ b/test/html_test.exs
@ -0,0 +1,80 @@
+defmodule Pleroma.HTMLTest do
+  alias Pleroma.HTML
+  use Pleroma.DataCase
+
+  @html_sample """
+    <b>this is in bold</b>
+    <p>this is a paragraph</p>
+    this is a linebreak<br />
+    this is an image: <img src="http://example.com/image.jpg"><br />
+    <script>alert('hacked')</script>
+  """
+
+  @html_onerror_sample """
+    <img src="http://example.com/image.jpg" onerror="alert('hacked')">
+  """
+
+  describe "StripTags scrubber" do
+    test "works as expected" do
+      expected = """
+      this is in bold
+        this is a paragraph
+        this is a linebreak
+        this is an image: 
+        alert('hacked')
+      """
+
+      assert expected == HTML.strip_tags(@html_sample)
+    end
+
+    test "does not allow attribute-based XSS" do
+      expected = "\n"
+
+      assert expected == HTML.strip_tags(@html_onerror_sample)
+    end
+  end
+
+  describe "TwitterText scrubber" do
+    test "normalizes HTML as expected" do
+      expected = """
+      this is in bold
+        <p>this is a paragraph</p>
+        this is a linebreak<br />
+        this is an image: <img src="http://example.com/image.jpg" /><br />
+        alert('hacked')
+      """
+
+      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
+    test "does not allow attribute-based XSS" do
+      expected = """
+      <img src="http://example.com/image.jpg" />
+      """
+
+      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+  end
+
+  describe "default scrubber" do
+    test "normalizes HTML as expected" do
+      expected = """
+      <b>this is in bold</b>
+        <p>this is a paragraph</p>
+        this is a linebreak<br />
+        this is an image: <img src="http://example.com/image.jpg" /><br />
+        alert('hacked')
+      """
+
+      assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
+    end
+
+    test "does not allow attribute-based XSS" do
+      expected = """
+      <img src="http://example.com/image.jpg" />
+      """
+
+      assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
+    end
+  end
+end