Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 173
- Log:
Updated to latest release of Beast according to the "getting started with
Beast" guide at:http://beast.caboo.se/forums/1/topics/381
This check-in includes frozen Edge Rails and has the beginnings of
configuration for the ROOL site included.
- Author:
- rool
- Date:
- Fri Mar 02 15:59:12 +0000 2007
- Size:
- 5273 Bytes
1 | require 'test/unit' |
2 | require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb')) |
3 | |
4 | class WhiteListTest < Test::Unit::TestCase |
5 | include WhiteListHelper |
6 | public :contains_bad_protocols? |
7 | |
8 | WhiteListHelper.tags.each do |tag_name| |
9 | define_method "test_should_allow_#{tag_name}_tag" do |
10 | assert_white_listed "start <#{tag_name} title=\"1\" name=\"foo\">foo <bad>bar</bad> baz</#{tag_name}> end", "start <#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}> end" |
11 | end |
12 | end |
13 | |
14 | def test_should_allow_anchors |
15 | assert_white_listed %(<a href="foo" onclick="bar"><script>baz</script></a>), "<a href='foo'></a>" |
16 | end |
17 | |
18 | %w(src width height alt).each do |img_attr| |
19 | define_method "test_should_allow_image_#{img_attr}_attribute" do |
20 | assert_white_listed %(<img #{img_attr}="foo" onclick="bar" />), "<img #{img_attr}='foo' />" |
21 | end |
22 | end |
23 | |
24 | def test_should_handle_non_html |
25 | assert_white_listed 'abc' |
26 | end |
27 | |
28 | def test_should_handle_blank_text |
29 | assert_white_listed nil |
30 | assert_white_listed '' |
31 | end |
32 | |
33 | def test_should_allow_custom_tags |
34 | text = "<u>foo</u>" |
35 | assert_equal(text, white_list(text, :tags => %w(u))) |
36 | end |
37 | |
38 | def test_should_allow_custom_tags_with_attributes |
39 | text = "<fieldset foo='bar'>foo</fieldset>" |
40 | assert_equal(text, white_list(text, :attributes => ['foo'])) |
41 | end |
42 | |
43 | [%w(img src), %w(a href)].each do |(tag, attr)| |
44 | define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do |
45 | assert_white_listed %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title='1'>boo</#{tag}>) |
46 | end |
47 | end |
48 | |
49 | def test_should_flag_bad_protocols |
50 | %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto| |
51 | assert contains_bad_protocols?("#{proto}://bad") |
52 | end |
53 | end |
54 | |
55 | def test_should_accept_good_protocols |
56 | WhiteListHelper.protocols.each do |proto| |
57 | assert !contains_bad_protocols?("#{proto}://good") |
58 | end |
59 | end |
60 | |
61 | def test_should_reject_hex_codes_in_protocol |
62 | assert contains_bad_protocols?("%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29") |
63 | assert_white_listed %(<a href="%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29">1</a>), "<a>1</a>" |
64 | end |
65 | |
66 | def test_should_block_script_tag |
67 | assert_white_listed %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), "" |
68 | end |
69 | |
70 | [%(<IMG SRC="javascript:alert('XSS');">), |
71 | %(<IMG SRC=javascript:alert('XSS')>), |
72 | %(<IMG SRC=JaVaScRiPt:alert('XSS')>), |
73 | %(<IMG """><SCRIPT>alert("XSS")</SCRIPT>">), |
74 | %(<IMG SRC=javascript:alert("XSS")>), |
75 | %(<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>), |
76 | %(<IMG SRC=javascript:alert('XSS')>), |
77 | %(<IMG SRC=javascript:alert('XSS')>), |
78 | %(<IMG SRC=javascript:alert('XSS')>), |
79 | %(<IMG SRC="jav\tascript:alert('XSS');">), |
80 | %(<IMG SRC="jav	ascript:alert('XSS');">), |
81 | %(<IMG SRC="jav
ascript:alert('XSS');">), |
82 | %(<IMG SRC="jav
ascript:alert('XSS');">), |
83 | %(<IMG SRC="  javascript:alert('XSS');">), |
84 | %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i| |
85 | define_method "test_should_not_fall_for_xss_image_hack_#{i}" do |
86 | assert_white_listed img_hack, "<img>" |
87 | end |
88 | end |
89 | |
90 | def test_should_sanitize_tag_broken_up_by_null |
91 | assert_white_listed %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), "<scr>alert(\"XSS\")</scr>" |
92 | end |
93 | |
94 | def test_should_sanitize_invalid_script_tag |
95 | assert_white_listed %(<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>), "" |
96 | end |
97 | |
98 | def test_should_sanitize_script_tag_with_multiple_open_brackets |
99 | assert_white_listed %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "<" |
100 | assert_white_listed %(<iframe src=http://ha.ckers.org/scriptlet.html\n<), "<iframe src='http:' /><" |
101 | end |
102 | |
103 | def test_should_sanitize_unclosed_script |
104 | assert_white_listed %(<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>), "<b>" |
105 | end |
106 | |
107 | def test_should_sanitize_half_open_scripts |
108 | assert_white_listed %(<IMG SRC="javascript:alert('XSS')"), "<img>" |
109 | end |
110 | |
111 | def test_should_not_fall_for_ridiculous_hack |
112 | img_hack = %(<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>) |
113 | assert_white_listed img_hack, "<img>" |
114 | end |
115 | |
116 | def test_should_allow_custom_block |
117 | html = %(<SCRIPT type="javascript">foo</SCRIPT><img>blah</img><blink>blah</blink>) |
118 | safe = white_list html do |node, bad| |
119 | bad == 'script' ? nil : node |
120 | end |
121 | assert_equal "<img>blah</img><blink>blah</blink>", safe |
122 | end |
123 | |
124 | protected |
125 | def assert_white_listed(text, expected = nil) |
126 | assert_equal((expected || text), white_list(text)) |
127 | end |
128 | end |
129 |