Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 344
- Log:
Massive changeset which brings the old, ROOL customised Instiki
version up to date, but without any ROOL customisations in this
latest checked-in version (which is 0.19.1). This is deliberate,
so that it's easy to see the changes made for the ROOL version
in a subsequent changeset. The 'app/views/shared' directory is not
part of Instiki but is kept to maintain the change history with
updated ROOL customisations, some of which involve the same files
in that same directory.
- Author:
- rool
- Date:
- Sat Mar 19 19:52:13 +0000 2011
- Size:
- 6299 Bytes
1 | #!/usr/bin/env ruby |
2 | #coding: ascii-8bit |
3 | |
4 | require File.expand_path(File.join(File.dirname(__FILE__), '/../test_helper')) |
5 | require 'sanitizer' |
6 | require 'json' |
7 | require 'instiki_stringsupport' |
8 | |
9 | class SanitizerTest < Test::Unit::TestCase |
10 | |
11 | include Sanitizer |
12 | |
13 | def setup |
14 | |
15 | end |
16 | |
17 | def do_sanitize_xhtml stream |
18 | xhtml_sanitize(stream) |
19 | end |
20 | |
21 | def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput) |
22 | assert_equal xhtmloutput.as_bytes, do_sanitize_xhtml(input).as_bytes |
23 | end |
24 | |
25 | def test_sanitize_named_entities |
26 | input = '<p>Greek &phis; φ, double-struck 𝔸, numeric 𝔸 ⁗, uppercase ™ <</p>' |
27 | output = "<p>Greek \317\225 \317\206, double-struck \360\235\224\270, numeric \360\235\224\270 \342\201\227, uppercase \342\204\242 <</p>" |
28 | output2 = "<p>Greek \317\225 \317\206, double-struck \360\235\224\270, numeric 𝔸 ⁗, uppercase \342\204\242 <</p>" |
29 | check_sanitization(input, output, output, output) |
30 | assert_equal(output2, input.to_utf8.as_bytes) |
31 | end |
32 | |
33 | def test_sanitize_malformed_utf8 |
34 | input = "<p>\357elephant & \302ivory</p>".purify |
35 | output = "".respond_to?(:force_encoding) ? "<p>elephant & ivory</p>" : "<p>ephant & vory</p>" |
36 | check_sanitization(input, output, output, output) |
37 | end |
38 | |
39 | Sanitizer::ALLOWED_ELEMENTS.each do |tag_name| |
40 | define_method "test_should_allow_#{tag_name}_tag" do |
41 | input = "<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>" |
42 | htmloutput = "<#{tag_name.downcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.downcase}>" |
43 | xhtmloutput = "<#{tag_name} title='1'>foo <bad>bar</bad> baz</#{tag_name}>" |
44 | rexmloutput = xhtmloutput |
45 | |
46 | if VOID_ELEMENTS.include?(tag_name) |
47 | htmloutput = "<#{tag_name} title='1'/>foo <bad>bar</bad> baz" |
48 | xhtmloutput = htmloutput |
49 | htmloutput += '<br/>' if tag_name == 'br' |
50 | rexmloutput = "<#{tag_name} title='1' />" |
51 | end |
52 | check_sanitization(input, htmloutput, xhtmloutput, rexmloutput) |
53 | end |
54 | end |
55 | |
56 | Sanitizer::ALLOWED_ELEMENTS.each do |tag_name| |
57 | define_method "test_should_forbid_#{tag_name.upcase}_tag" do |
58 | input = "<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>" |
59 | output = "<#{tag_name.upcase} title=\"1\">foo <bad>bar</bad> baz</#{tag_name.upcase}>" |
60 | xhtmloutput = "<#{tag_name.upcase} title='1'>foo <bad>bar</bad> baz</#{tag_name.upcase}>" |
61 | check_sanitization(input, output, xhtmloutput, output) |
62 | end |
63 | end |
64 | |
65 | Sanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name| |
66 | next if attribute_name == 'style' |
67 | define_method "test_should_allow_#{attribute_name}_attribute" do |
68 | input = "<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>" |
69 | output = "<p #{attribute_name}='foo'>foo <bad>bar</bad> baz</p>" |
70 | htmloutput = "<p #{attribute_name.downcase}='foo'>foo <bad>bar</bad> baz</p>" |
71 | check_sanitization(input, htmloutput, output, output) |
72 | end |
73 | end |
74 | |
75 | Sanitizer::ALLOWED_ATTRIBUTES.each do |attribute_name| |
76 | define_method "test_should_forbid_#{attribute_name.upcase}_attribute" do |
77 | input = "<p #{attribute_name.upcase}='display: none;'>foo <bad>bar</bad> baz</p>" |
78 | output = "<p>foo <bad>bar</bad> baz</p>" |
79 | check_sanitization(input, output, output, output) |
80 | end |
81 | end |
82 | |
83 | Sanitizer::ALLOWED_PROTOCOLS.each do |protocol| |
84 | define_method "test_should_allow_#{protocol}_uris" do |
85 | input = %(<a href="#{protocol}">foo</a>) |
86 | output = "<a href='#{protocol}'>foo</a>" |
87 | check_sanitization(input, output, output, output) |
88 | end |
89 | end |
90 | |
91 | Sanitizer::ALLOWED_PROTOCOLS.each do |protocol| |
92 | define_method "test_should_allow_uppercase_#{protocol}_uris" do |
93 | input = %(<a href="#{protocol.upcase}">foo</a>) |
94 | output = "<a href='#{protocol.upcase}'>foo</a>" |
95 | check_sanitization(input, output, output, output) |
96 | end |
97 | end |
98 | |
99 | Sanitizer::SVG_ALLOW_LOCAL_HREF.each do |tag_name| |
100 | next unless Sanitizer::ALLOWED_ELEMENTS.include?(tag_name) |
101 | define_method "test_#{tag_name}_should_allow_local_href" do |
102 | input = %(<#{tag_name} xlink:href="#foo"/>) |
103 | output = "<#{tag_name.downcase} xlink:href='#foo'/>" |
104 | xhtmloutput = "<#{tag_name} xlink:href='#foo'/>" |
105 | check_sanitization(input, output, xhtmloutput, xhtmloutput) |
106 | end |
107 | |
108 | define_method "test_#{tag_name}_should_allow_local_href_with_newline" do |
109 | input = %(<#{tag_name} xlink:href="\n#foo"/>) |
110 | output = "<#{tag_name.downcase} xlink:href='\n#foo'/>" |
111 | xhtmloutput = "<#{tag_name} xlink:href='\n#foo'/>" |
112 | check_sanitization(input, output, xhtmloutput, xhtmloutput) |
113 | end |
114 | |
115 | define_method "test_#{tag_name}_should_forbid_nonlocal_href" do |
116 | input = %(<#{tag_name} xlink:href="http://bad.com/foo"/>) |
117 | output = "<#{tag_name.downcase}/>" |
118 | xhtmloutput = "<#{tag_name}/>" |
119 | check_sanitization(input, output, xhtmloutput, xhtmloutput) |
120 | end |
121 | |
122 | define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline" do |
123 | input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo"/>) |
124 | output = "<#{tag_name.downcase}/>" |
125 | xhtmloutput = "<#{tag_name}/>" |
126 | check_sanitization(input, output, xhtmloutput, xhtmloutput) |
127 | end |
128 | end |
129 | |
130 | def test_should_handle_astral_plane_characters |
131 | input = "<p>𝒵 𝔸</p>" |
132 | output = "<p>\360\235\222\265 \360\235\224\270</p>" |
133 | check_sanitization(input, output, output, output) |
134 | |
135 | input = "<p><tspan>\360\235\224\270</tspan> a</p>" |
136 | output = "<p><tspan>\360\235\224\270</tspan> a</p>" |
137 | check_sanitization(input, output, output, output) |
138 | end |
139 | |
140 | # This affects only NS4. Is it worth fixing? |
141 | # def test_javascript_includes |
142 | # input = %(<div size="&{alert('XSS')}">foo</div>) |
143 | # output = "<div>foo</div>" |
144 | # check_sanitization(input, output, output, output) |
145 | # end |
146 | |
147 | JSON::parse(open(File.expand_path(File.join(File.dirname(__FILE__), '/../sanitizer.dat'))).read).each do |test| |
148 | define_method "test_#{test['name']}" do |
149 | check_sanitization( |
150 | test['input'], |
151 | test['output'], |
152 | test['xhtml'] || test['output'], |
153 | test['rexml'] || test['output'] |
154 | ) |
155 | end |
156 | end |
157 | end |