2014-02-13 15:10:09 +08:00
|
|
|
/**
|
2017-12-21 14:19:10 +08:00
|
|
|
* tests for custom method
|
2014-02-13 16:38:32 +08:00
|
|
|
*
|
2017-12-21 14:19:10 +08:00
|
|
|
* @author Zongmin Lei<leizongmin@gmail.com>
|
2014-02-13 15:10:09 +08:00
|
|
|
*/
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
var assert = require("assert");
|
|
|
|
|
var xss = require("../");
|
|
|
|
|
var debug = require("debug")("xss:test");
|
2014-02-13 15:10:09 +08:00
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
describe("test custom XSS method", function() {
|
|
|
|
|
it("#onTag - match tag", function() {
|
2014-02-13 15:27:58 +08:00
|
|
|
var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onTag: function(tag, html, options) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2014-02-13 15:27:58 +08:00
|
|
|
i++;
|
|
|
|
|
if (i === 1) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "a");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(html, '<a href="#">');
|
|
|
|
|
assert.equal(options.isClosing, false);
|
|
|
|
|
assert.equal(options.position, 2);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 2);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, true);
|
|
|
|
|
} else if (i === 2) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "b");
|
|
|
|
|
assert.equal(html, "<b>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, false);
|
|
|
|
|
assert.equal(options.position, 14);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 14);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, true);
|
|
|
|
|
} else if (i === 3) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "c");
|
|
|
|
|
assert.equal(html, "<c>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, false);
|
|
|
|
|
assert.equal(options.position, 17);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 17);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, false);
|
|
|
|
|
} else if (i === 4) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "c");
|
|
|
|
|
assert.equal(html, "</c>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, true);
|
|
|
|
|
assert.equal(options.position, 30);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 24);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, false);
|
|
|
|
|
} else if (i === 5) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "b");
|
|
|
|
|
assert.equal(html, "</b>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, true);
|
|
|
|
|
assert.equal(options.position, 40);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 28);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, true);
|
|
|
|
|
} else if (i === 6) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "a");
|
|
|
|
|
assert.equal(html, "</a>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, true);
|
|
|
|
|
assert.equal(options.position, 44);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 32);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, true);
|
|
|
|
|
} else if (i === 7) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "br");
|
|
|
|
|
assert.equal(html, "<br>");
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isClosing, false);
|
|
|
|
|
assert.equal(options.position, 48);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 36);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(options.isWhite, true);
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(
|
|
|
|
|
html,
|
|
|
|
|
'dd<a href="#"><b><c>haha</c></b></a><br>ff'
|
|
|
|
|
);
|
2014-02-13 15:27:58 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onTag - return new html", function() {
|
2014-02-13 15:27:58 +08:00
|
|
|
var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onTag: function(tag, html, options) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 15:27:58 +08:00
|
|
|
return html;
|
|
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 15:27:58 +08:00
|
|
|
assert.equal(html, source);
|
|
|
|
|
});
|
2014-02-13 15:10:09 +08:00
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onIgnoreTag - match tag", function() {
|
2014-02-13 15:31:19 +08:00
|
|
|
var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onIgnoreTag: function(tag, html, options) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2014-02-13 15:31:19 +08:00
|
|
|
i++;
|
|
|
|
|
if (i === 1) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "c");
|
|
|
|
|
assert.equal(html, "<c>");
|
2014-02-13 15:31:19 +08:00
|
|
|
assert.equal(options.isClosing, false);
|
|
|
|
|
assert.equal(options.position, 17);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 17);
|
2014-02-13 15:31:19 +08:00
|
|
|
assert.equal(options.isWhite, false);
|
|
|
|
|
} else if (i === 2) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "c");
|
|
|
|
|
assert.equal(html, "</c>");
|
2014-02-13 15:31:19 +08:00
|
|
|
assert.equal(options.isClosing, true);
|
|
|
|
|
assert.equal(options.position, 30);
|
2014-02-13 16:33:35 +08:00
|
|
|
assert.equal(options.sourcePosition, 24);
|
2014-02-13 15:31:19 +08:00
|
|
|
assert.equal(options.isWhite, false);
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(
|
|
|
|
|
html,
|
|
|
|
|
'dd<a href="#"><b><c>haha</c></b></a><br>ff'
|
|
|
|
|
);
|
2014-02-13 15:31:19 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onIgnoreTag - return new html", function() {
|
2014-02-13 15:31:19 +08:00
|
|
|
var source = 'dd<a href="#"><b><c>haha</c></b></a><br>ff';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onIgnoreTag: function(tag, html, options) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
return "[" + (options.isClosing ? "/" : "") + "removed]";
|
2014-02-13 15:31:19 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(
|
|
|
|
|
html,
|
|
|
|
|
'dd<a href="#"><b>[removed]haha[/removed]</b></a><br>ff'
|
|
|
|
|
);
|
2014-02-13 15:31:19 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onTagAttr - match attr", function() {
|
|
|
|
|
var source =
|
|
|
|
|
'<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
|
2014-02-13 15:55:36 +08:00
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onTagAttr: function(tag, name, value, isWhiteAttr) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "a");
|
2014-02-13 15:55:36 +08:00
|
|
|
i++;
|
|
|
|
|
if (i === 1) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "href");
|
|
|
|
|
assert.equal(value, "#");
|
2014-02-13 15:55:36 +08:00
|
|
|
assert.equal(isWhiteAttr, true);
|
|
|
|
|
} else if (i === 2) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "target");
|
|
|
|
|
assert.equal(value, "_blank");
|
2014-02-13 15:55:36 +08:00
|
|
|
assert.equal(isWhiteAttr, true);
|
|
|
|
|
} else if (i === 3) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "checked");
|
|
|
|
|
assert.equal(value, "");
|
2014-02-13 15:55:36 +08:00
|
|
|
assert.equal(isWhiteAttr, false);
|
|
|
|
|
} else if (i === 4) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "data-a");
|
|
|
|
|
assert.equal(value, "b");
|
2014-02-13 15:55:36 +08:00
|
|
|
assert.equal(isWhiteAttr, false);
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 15:55:36 +08:00
|
|
|
assert.equal(html, '<a href="#" target="_blank">hi</a>');
|
|
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onTagAttr - match attr", function() {
|
|
|
|
|
var source =
|
|
|
|
|
'<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
|
2014-02-13 15:55:36 +08:00
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onTagAttr: function(tag, name, value, isWhiteAttr) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2017-12-21 14:22:34 +08:00
|
|
|
return "$" + name + "$";
|
2014-02-13 15:55:36 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<a $href$ $target$ $checked$ $data-a$>hi</a>");
|
2014-02-13 15:55:36 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onIgnoreTagAttr - match attr", function() {
|
|
|
|
|
var source =
|
|
|
|
|
'<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
|
2014-02-13 15:59:37 +08:00
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "a");
|
2014-02-13 15:59:37 +08:00
|
|
|
i++;
|
|
|
|
|
if (i === 1) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "checked");
|
|
|
|
|
assert.equal(value, "");
|
2014-02-13 15:59:37 +08:00
|
|
|
assert.equal(isWhiteAttr, false);
|
|
|
|
|
} else if (i === 2) {
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(name, "data-a");
|
|
|
|
|
assert.equal(value, "b");
|
2014-02-13 15:59:37 +08:00
|
|
|
assert.equal(isWhiteAttr, false);
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 15:59:37 +08:00
|
|
|
assert.equal(html, '<a href="#" target="_blank">hi</a>');
|
|
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#onIgnoreTagAttr - match attr", function() {
|
|
|
|
|
var source =
|
|
|
|
|
'<a href="#" target="_blank" checked data-a="b">hi</a href="d">';
|
2014-02-13 15:59:37 +08:00
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2017-12-21 14:22:34 +08:00
|
|
|
return "$" + name + "$";
|
2014-02-13 15:59:37 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 15:59:37 +08:00
|
|
|
assert.equal(html, '<a href="#" target="_blank" $checked$ $data-a$>hi</a>');
|
|
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#escapeHtml - default", function() {
|
|
|
|
|
var source = "<x>yy</x><a>bb</a>";
|
2014-02-13 16:13:26 +08:00
|
|
|
var html = xss(source);
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<x>yy</x><a>bb</a>");
|
2014-02-13 16:13:26 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#escapeHtml - return new value", function() {
|
|
|
|
|
var source = "<x>yy</x><a>bb</a>";
|
2014-02-13 16:13:26 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
escapeHtml: function(str) {
|
|
|
|
|
return str ? "[" + str + "]" : str;
|
2014-02-13 16:13:26 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "[<x>][yy][</x>]<a>[bb]</a>");
|
2014-02-13 16:13:26 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#safeAttrValue - default", function() {
|
2014-02-13 16:18:10 +08:00
|
|
|
var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
|
|
|
|
|
var html = xss(source);
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-18 14:35:50 +08:00
|
|
|
assert.equal(html, '<a href title="hi">link</a>');
|
2014-02-13 16:18:10 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#safeAttrValue - return new value", function() {
|
2014-02-13 16:18:10 +08:00
|
|
|
var source = '<a href="javascript:alert(/xss/)" title="hi">link</a>';
|
|
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
safeAttrValue: function(tag, name, value) {
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(arguments);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(tag, "a");
|
|
|
|
|
return "$" + name + "$";
|
2014-02-13 16:18:10 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2014-02-13 16:18:10 +08:00
|
|
|
assert.equal(html, '<a href="$href$" title="$title$">link</a>');
|
|
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTag", function() {
|
|
|
|
|
var source = "<x>yy</x><a>bb</a>";
|
2014-02-13 16:27:49 +08:00
|
|
|
var html = xss(source, {
|
|
|
|
|
stripIgnoreTag: true
|
2014-02-13 15:10:09 +08:00
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "yy<a>bb</a>");
|
2014-02-13 15:10:09 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripTagBody - true", function() {
|
|
|
|
|
var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
|
2014-02-13 18:18:43 +08:00
|
|
|
var html = xss(source, {
|
|
|
|
|
stripIgnoreTagBody: true
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<a>link</a>bk");
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTagBody - *", function() {
|
|
|
|
|
var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
|
2014-02-13 18:18:43 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
stripIgnoreTagBody: "*"
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<a>link</a>bk");
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTagBody - ['x']", function() {
|
|
|
|
|
var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
|
2014-02-13 18:18:43 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
stripIgnoreTagBody: ["x"]
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<a>link</a><y>a<y></y>b</y>k");
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTagBody - ['x'] & onIgnoreTag", function() {
|
|
|
|
|
var source = "<a>link</a><x>haha</x><y>a<y></y>b</y>k";
|
2014-02-13 18:18:43 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
stripIgnoreTagBody: ["x"],
|
|
|
|
|
onIgnoreTag: function(tag, html, options) {
|
|
|
|
|
return "$" + tag + "$";
|
2014-02-13 18:18:43 +08:00
|
|
|
}
|
|
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "<a>link</a>$y$a$y$$y$b$y$k");
|
2014-02-13 18:18:43 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTag & stripIgnoreTagBody", function() {
|
|
|
|
|
var source = "<scri" + "pt>alert(/xss/);</scri" + "pt>";
|
2014-03-03 18:21:39 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
stripIgnoreTag: true,
|
|
|
|
|
stripIgnoreTagBody: ["script"]
|
2014-03-03 18:21:39 +08:00
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "");
|
2014-03-03 18:21:39 +08:00
|
|
|
});
|
|
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("#stripIgnoreTag & stripIgnoreTagBody - 2", function() {
|
|
|
|
|
var source = "ooxx<scri" + "pt>alert(/xss/);</scri" + "pt>";
|
2014-03-03 18:21:39 +08:00
|
|
|
var html = xss(source, {
|
2017-12-21 14:22:34 +08:00
|
|
|
stripIgnoreTag: true,
|
|
|
|
|
stripIgnoreTagBody: ["script"]
|
2014-03-03 18:21:39 +08:00
|
|
|
});
|
2015-12-01 22:10:48 +08:00
|
|
|
debug(html);
|
2017-12-21 14:22:34 +08:00
|
|
|
assert.equal(html, "ooxx");
|
2014-03-03 18:21:39 +08:00
|
|
|
});
|
2014-02-13 18:18:43 +08:00
|
|
|
|
2017-12-21 14:22:34 +08:00
|
|
|
it("cssFilter", function() {
|
2016-11-06 11:06:02 +08:00
|
|
|
var whiteList = xss.getDefaultWhiteList();
|
2017-12-21 14:22:34 +08:00
|
|
|
whiteList.div.push("style");
|
|
|
|
|
assert.equal(
|
|
|
|
|
xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
|
|
|
|
|
whiteList: whiteList
|
|
|
|
|
}),
|
|
|
|
|
'<div style="width:50%;">hello</div>'
|
|
|
|
|
);
|
|
|
|
|
assert.equal(
|
|
|
|
|
xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
|
|
|
|
|
whiteList: whiteList,
|
|
|
|
|
css: false
|
|
|
|
|
}),
|
|
|
|
|
'<div style="width: 50%; vertical-align: top;">hello</div>'
|
|
|
|
|
);
|
2016-11-06 11:06:02 +08:00
|
|
|
var css = { whiteList: xss.getDefaultCSSWhiteList() };
|
2017-12-21 14:22:34 +08:00
|
|
|
css.whiteList["vertical-align"] = true;
|
|
|
|
|
assert.equal(
|
|
|
|
|
xss('<div style="width: 50%; vertical-align: top;">hello</div>', {
|
|
|
|
|
whiteList: whiteList,
|
|
|
|
|
css: css
|
|
|
|
|
}),
|
|
|
|
|
'<div style="width:50%; vertical-align:top;">hello</div>'
|
|
|
|
|
);
|
2016-11-06 11:06:02 +08:00
|
|
|
});
|
2020-07-22 23:40:13 +01:00
|
|
|
|
2021-01-25 21:17:00 +01:00
|
|
|
it("#onTag - sanitize html parameter space", function() {
|
2020-07-22 23:40:13 +01:00
|
|
|
var source = '<a target= " href="><script>alert(2)</script>"><span>';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
|
|
|
|
onTag: function(_, E, S) {
|
|
|
|
|
if (S.isWhite && "a" === _) {
|
2020-07-24 10:41:06 +01:00
|
|
|
if (S.isClosing) return "</span></a>";
|
|
|
|
|
return "".concat(E, '<span>');
|
2020-07-22 23:40:13 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
debug(html);
|
|
|
|
|
assert.equal(html, '<a target= " href="><span><script>alert(2)</script>"><span>');
|
|
|
|
|
});
|
2021-01-25 21:17:00 +01:00
|
|
|
|
|
|
|
|
it("#onTag - sanitize html parameter tab", function() {
|
|
|
|
|
var source = '<a target= " href="><script>alert(2)</script>"><span>';
|
|
|
|
|
var i = 0;
|
|
|
|
|
var html = xss(source, {
|
|
|
|
|
onTag: function(_, E, S) {
|
|
|
|
|
if (S.isWhite && "a" === _) {
|
|
|
|
|
if (S.isClosing) return "</span></a>";
|
|
|
|
|
return "".concat(E, '<span>');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
debug(html);
|
|
|
|
|
assert.equal(html, '<a target= " href="><span><script>alert(2)</script>"><span>');
|
|
|
|
|
});
|
2017-12-21 14:22:34 +08:00
|
|
|
});
|
