/** * 测试XSS 自定义处理函数 * * @author 老雷 */ var assert = require('assert'); var xss = require('../'); var debug = require('debug')('xss:test'); describe('test custom XSS method', function () { it('#onTag - match tag', function () { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onTag: function (tag, html, options) { debug(arguments); i++; if (i === 1) { assert.equal(tag, 'a'); assert.equal(html, ''); assert.equal(options.isClosing, false); assert.equal(options.position, 2); assert.equal(options.sourcePosition, 2); assert.equal(options.isWhite, true); } else if (i === 2) { assert.equal(tag, 'b'); assert.equal(html, ''); assert.equal(options.isClosing, false); assert.equal(options.position, 14); assert.equal(options.sourcePosition, 14); assert.equal(options.isWhite, true); } else if (i === 3) { assert.equal(tag, 'c'); assert.equal(html, ''); assert.equal(options.isClosing, false); assert.equal(options.position, 17); assert.equal(options.sourcePosition, 17); assert.equal(options.isWhite, false); } else if (i === 4) { assert.equal(tag, 'c'); assert.equal(html, ''); assert.equal(options.isClosing, true); assert.equal(options.position, 30); assert.equal(options.sourcePosition, 24); assert.equal(options.isWhite, false); } else if (i === 5) { assert.equal(tag, 'b'); assert.equal(html, ''); assert.equal(options.isClosing, true); assert.equal(options.position, 40); assert.equal(options.sourcePosition, 28); assert.equal(options.isWhite, true); } else if (i === 6) { assert.equal(tag, 'a'); assert.equal(html, ''); assert.equal(options.isClosing, true); assert.equal(options.position, 44); assert.equal(options.sourcePosition, 32); assert.equal(options.isWhite, true); } else if (i === 7) { assert.equal(tag, 'br'); assert.equal(html, '
'); assert.equal(options.isClosing, false); assert.equal(options.position, 48); assert.equal(options.sourcePosition, 36); assert.equal(options.isWhite, true); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'dd<c>haha</c>
ff'); }); it('#onTag - return new html', function () { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onTag: function (tag, html, options) { debug(html); return html; } }); debug(html); assert.equal(html, source); }); it('#onIgnoreTag - match tag', function () { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onIgnoreTag: function (tag, html, options) { debug(arguments); i++; if (i === 1) { assert.equal(tag, 'c'); assert.equal(html, ''); assert.equal(options.isClosing, false); assert.equal(options.position, 17); assert.equal(options.sourcePosition, 17); assert.equal(options.isWhite, false); } else if (i === 2) { assert.equal(tag, 'c'); assert.equal(html, ''); assert.equal(options.isClosing, true); assert.equal(options.position, 30); assert.equal(options.sourcePosition, 24); assert.equal(options.isWhite, false); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'dd<c>haha</c>
ff'); }); it('#onIgnoreTag - return new html', function () { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onIgnoreTag: function (tag, html, options) { debug(html); return '[' + (options.isClosing ? '/' : '') + 'removed]'; } }); debug(html); assert.equal(html, 'dd[removed]haha[/removed]
ff'); }); it('#onTagAttr - match attr', function () { var source = 'hi'; var i = 0; var html = xss(source, { onTagAttr: function (tag, name, value, isWhiteAttr) { debug(arguments); assert.equal(tag, 'a'); i++; if (i === 1) { assert.equal(name, 'href'); assert.equal(value, '#'); assert.equal(isWhiteAttr, true); } else if (i === 2) { assert.equal(name, 'target'); assert.equal(value, '_blank'); assert.equal(isWhiteAttr, true); } else if (i === 3) { assert.equal(name, 'checked'); assert.equal(value, ''); assert.equal(isWhiteAttr, false); } else if (i === 4) { assert.equal(name, 'data-a'); assert.equal(value, 'b'); assert.equal(isWhiteAttr, false); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'hi'); }); it('#onTagAttr - match attr', function () { var source = 'hi'; var i = 0; var html = xss(source, { onTagAttr: function (tag, name, value, isWhiteAttr) { debug(arguments); return '$' + name + '$'; } }); debug(html); assert.equal(html, 'hi'); }); it('#onIgnoreTagAttr - match attr', function () { var source = 'hi'; var i = 0; var html = xss(source, { onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { debug(arguments); assert.equal(tag, 'a'); i++; if (i === 1) { assert.equal(name, 'checked'); assert.equal(value, ''); assert.equal(isWhiteAttr, false); } else if (i === 2) { assert.equal(name, 'data-a'); assert.equal(value, 'b'); assert.equal(isWhiteAttr, false); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'hi'); }); it('#onIgnoreTagAttr - match attr', function () { var source = 'hi'; var i = 0; var html = xss(source, { onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) { debug(arguments); return '$' + name + '$'; } }); debug(html); assert.equal(html, 'hi'); }); it('#escapeHtml - default', function () { var source = 'yybb'; var html = xss(source); debug(html); assert.equal(html, '<x>yy</x>bb'); }); it('#escapeHtml - return new value', function () { var source = 'yybb'; var html = xss(source, { escapeHtml: function (str) { return (str ? '[' + str + ']' : str); } }); debug(html); assert.equal(html, '[][yy][][bb]'); }); it('#safeAttrValue - default', function () { var source = 'link'; var html = xss(source); debug(html); assert.equal(html, 'link'); }); it('#safeAttrValue - return new value', function () { var source = 'link'; var html = xss(source, { safeAttrValue: function (tag, name, value) { debug(arguments); assert.equal(tag, 'a'); return '$' + name + '$'; } }); debug(html); assert.equal(html, 'link'); }); it('#stripIgnoreTag', function () { var source = 'yybb'; var html = xss(source, { stripIgnoreTag: true }); debug(html); assert.equal(html, 'yybb'); }); it('#stripTagBody - true', function () { var source = 'linkhahaabk'; var html = xss(source, { stripIgnoreTagBody: true }); debug(html); assert.equal(html, 'linkbk'); }); it('#stripIgnoreTagBody - *', function () { var source = 'linkhahaabk'; var html = xss(source, { stripIgnoreTagBody: '*' }); debug(html); assert.equal(html, 'linkbk'); }); it('#stripIgnoreTagBody - [\'x\']', function () { var source = 'linkhahaabk'; var html = xss(source, { stripIgnoreTagBody: ['x'] }); debug(html); assert.equal(html, 'link<y>a<y></y>b</y>k'); }); it('#stripIgnoreTagBody - [\'x\'] & onIgnoreTag', function () { var source = 'linkhahaabk'; var html = xss(source, { stripIgnoreTagBody: ['x'], onIgnoreTag: function (tag, html, options) { return '$' + tag + '$'; } }); debug(html); assert.equal(html, 'link$y$a$y$$y$b$y$k'); }); it('#stripIgnoreTag & stripIgnoreTagBody', function () { var source = 'alert(/xss/);'; var html = xss(source, { stripIgnoreTag: true, stripIgnoreTagBody: ['script'] }); debug(html); assert.equal(html, ''); }); it('#stripIgnoreTag & stripIgnoreTagBody - 2', function () { var source = 'ooxxalert(/xss/);'; var html = xss(source, { stripIgnoreTag: true, stripIgnoreTagBody: ['script'] }); debug(html); assert.equal(html, 'ooxx'); }); it('cssFilter', function () { var whiteList = xss.getDefaultWhiteList(); whiteList.div.push('style'); assert.equal(xss('

hello

', { whiteList: whiteList }), '

hello

'); assert.equal(xss('

hello

', { whiteList: whiteList, css: false }), '

hello

'); var css = { whiteList: xss.getDefaultCSSWhiteList() }; css.whiteList['vertical-align'] = true; assert.equal(xss('

hello

', { whiteList: whiteList, css: css }), '

hello

'); }); });