Home Explore Help
Register Sign In
aeth
/
keiji
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: wip
Branches Tags
keiji
/
html
/
css
/
bootstrap-5.0.2
/
js
/
tests
/
unit
/
util
/
sanitizer.spec.js

sanitizer.spec.js 2.2 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. import { DefaultAllowlist, sanitizeHtml } from '../../../src/util/sanitizer'
    2. 

  2. 

  3. describe('Sanitizer', () => {
    4. 

  4.   describe('sanitizeHtml', () => {
    5. 

  5.     it('should return the same on empty string', () => {
    6. 

  6.       const empty = ''
    7. 

  7. 

  8.       const result = sanitizeHtml(empty, DefaultAllowlist, null)
    9. 

  9. 

  10.       expect(result).toEqual(empty)
    11. 

  11.     })
    12. 

  12. 

  13.     it('should sanitize template by removing tags with XSS', () => {
    14. 

  14.       const template = [
    15. 

  15.         '<div>',
    16. 

  16.         '  <a href="javascript:alert(7)">Click me</a>',
    17. 

  17.         '  <span>Some content</span>',
    18. 

  18.         '</div>'
    19. 

  19.       ].join('')
    20. 

  20. 

  21.       const result = sanitizeHtml(template, DefaultAllowlist, null)
    22. 

  22. 

  23.       expect(result).not.toContain('href="javascript:alert(7)')
    24. 

  24.     })
    25. 

  25. 

  26.     it('should allow aria attributes and safe attributes', () => {
    27. 

  27.       const template = [
    28. 

  28.         '<div aria-pressed="true">',
    29. 

  29.         '  <span class="test">Some content</span>',
    30. 

  30.         '</div>'
    31. 

  31.       ].join('')
    32. 

  32. 

  33.       const result = sanitizeHtml(template, DefaultAllowlist, null)
    34. 

  34. 

  35.       expect(result).toContain('aria-pressed')
    36. 

  36.       expect(result).toContain('class="test"')
    37. 

  37.     })
    38. 

  38. 

  39.     it('should remove tags not in allowlist', () => {
    40. 

  40.       const template = [
    41. 

  41.         '<div>',
    42. 

  42.         '  <script>alert(7)</script>',
    43. 

  43.         '</div>'
    44. 

  44.       ].join('')
    45. 

  45. 

  46.       const result = sanitizeHtml(template, DefaultAllowlist, null)
    47. 

  47. 

  48.       expect(result).not.toContain('<script>')
    49. 

  49.     })
    50. 

  50. 

  51.     it('should not use native api to sanitize if a custom function passed', () => {
    52. 

  52.       const template = [
    53. 

  53.         '<div>',
    54. 

  54.         '  <span>Some content</span>',
    55. 

  55.         '</div>'
    56. 

  56.       ].join('')
    57. 

  57. 

  58.       function mySanitize(htmlUnsafe) {
    59. 

  59.         return htmlUnsafe
    60. 

  60.       }
    61. 

  61. 

  62.       spyOn(DOMParser.prototype, 'parseFromString')
    63. 

  63. 

  64.       const result = sanitizeHtml(template, DefaultAllowlist, mySanitize)
    65. 

  65. 

  66.       expect(result).toEqual(template)
    67. 

  67.       expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled()
    68. 

  68.     })
    69. 

  69. 

  70.     it('should allow multiple sanitation passes of the same template', () => {
    71. 

  71.       const template = '<img src="test.jpg">'
    72. 

  72. 

  73.       const firstResult = sanitizeHtml(template, DefaultAllowlist, null)
    74. 

  74.       const secondResult = sanitizeHtml(template, DefaultAllowlist, null)
    75. 

  75. 

  76.       expect(firstResult).toContain('src')
    77. 

  77.       expect(secondResult).toContain('src')
    78. 

  78.     })
    79. 

  79.   })
    80. 

  80. })
    81.