From e68b9d00a6e05b3a941f63ffb696f91e554ac5ec Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 18 Oct 2024 20:33:49 +0200 Subject: Adding upstream version 9.0.3. Signed-off-by: Daniel Baumann --- modules/markup/sanitizer_test.go | 110 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 modules/markup/sanitizer_test.go (limited to 'modules/markup/sanitizer_test.go') diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go new file mode 100644 index 0000000..4441a41 --- /dev/null +++ b/modules/markup/sanitizer_test.go @@ -0,0 +1,110 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Copyright 2017 The Gogs Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package markup + +import ( + "html/template" + "strings" + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_Sanitizer(t *testing.T) { + NewSanitizer() + testCases := []string{ + // Regular + `Google`, `Google`, + + // Code highlighting class + ``, ``, + ``, ``, + ``, ``, + + // Input checkbox + ``, ``, + ``, ``, + ``, ``, + + // Code highlight injection + ``, ``, + ` +  + +Hello there! Something has gone wrong, we are working on it. +In the meantime, play a game with us at example.com. +`, "\n\u00a0\n\nHello there! Something has gone wrong, we are working on it.\nIn the meantime, play a game with us at\u00a0example.com.\n", + + // tags + `Ctrl + C`, `Ctrl + C`, + `NAUGHTY`, `NAUGHTY`, + ``, ``, + `unchecked`, `unchecked`, + `NAUGHTY`, `NAUGHTY`, + `contents`, `contents`, + + // Color property + `Hello World`, `Hello World`, + `

Hello World

`, `

Hello World

`, + `
TH1TH2TH3
TD1TD2TD3
`, `
TH1TH2TH3
TD1TD2TD3
`, + `Hello World`, `Hello World`, + `Hello World`, `Hello World`, + `Hello World`, `Hello World`, + `

Hello World

`, `

Hello World

`, + `Hello World`, `Hello World`, + + // Org mode status of list items. + `
  • `, `
  • `, + `
  • `, `
  • `, + `
  • `, `
  • `, + + // URLs + `my custom URL scheme`, `my custom URL scheme`, + `my custom URL scheme`, `my custom URL scheme`, + + // Disallow dangerous url schemes + `bad`, `bad`, + `bad`, `bad`, + `bad`, `bad`, + } + + for i := 0; i < len(testCases); i += 2 { + assert.Equal(t, testCases[i+1], Sanitize(testCases[i])) + } +} + +func TestDescriptionSanitizer(t *testing.T) { + NewSanitizer() + + testCases := []string{ + `

    Title

    `, `Title`, + `image`, ``, + `THUMBS UP`, `THUMBS UP`, + `Hello World`, `Hello World`, + `
    `, ``, + `https://example.com`, `https://example.com`, + `Important!`, `Important!`, + `
    Click me! Nothing to see here.
    `, `Click me! Nothing to see here.`, + ``, ``, + `I have a strong opinion about this.`, `I have a strong opinion about this.`, + `Provides alternative wg(8) tool`, `Provides alternative wg(8) tool`, + `Click me.`, `Click me.`, + `Click me.`, `Click me.`, + `Click me.`, `Click me.`, + } + + for i := 0; i < len(testCases); i += 2 { + assert.Equal(t, testCases[i+1], SanitizeDescription(testCases[i])) + } +} + +func TestSanitizeNonEscape(t *testing.T) { + descStr := "<script>alert(document.domain)</script>" + + output := template.HTML(Sanitize(descStr)) + if strings.Contains(string(output), "