discourse/test/javascripts/lib/sanitizer-test.js.es6

import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text';
import { hrefAllowed } from 'pretty-text/sanitizer';

QUnit.module("lib:sanitizer");

QUnit.test("sanitize", assert => {
  const pt = new PrettyText(buildOptions({ siteSettings: {
    "allowed_iframes": 'https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?'
  } }));
  const cooked = (input, expected, text) => assert.equal(pt.cook(input), expected.replace(/\/>/g, ">"), text);

  assert.equal(pt.sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
  assert.equal(pt.sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
  assert.equal(pt.sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
  assert.equal(pt.sanitize("<3 <3"), "&lt;3 &lt;3");
  assert.equal(pt.sanitize("<_<"), "&lt;_&lt;");

  cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");

  cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
         "<p><a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a></p>",
         "we can embed proper links");

  cooked("<center>hello</center>", "hello", "it does not allow centering");
  cooked("<blockquote>a\n</blockquote>\n", "<blockquote>a\n</blockquote>", "it does not double sanitize");

  cooked("<iframe src=\"http://discourse.org\" width=\"100\" height=\"42\"></iframe>", "", "it does not allow most iframes");

  cooked("<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",
         "<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",
         "it allows iframe to google maps");

  cooked("<iframe width=\"425\" height=\"350\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\" src=\"https://www.openstreetmap.org/export/embed.html?bbox=22.49454975128174%2C51.220338322410775%2C22.523088455200195%2C51.23345342732931&amp;layer=mapnik\"></iframe>",
         "<iframe width=\"425\" height=\"350\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\" src=\"https://www.openstreetmap.org/export/embed.html?bbox=22.49454975128174%2C51.220338322410775%2C22.523088455200195%2C51.23345342732931&amp;layer=mapnik\"></iframe>",
         "it allows iframe to OpenStreetMap");

  assert.equal(pt.sanitize("<textarea>hullo</textarea>"), "hullo");
  assert.equal(pt.sanitize("<button>press me!</button>"), "press me!");
  assert.equal(pt.sanitize("<canvas>draw me!</canvas>"), "draw me!");
  assert.equal(pt.sanitize("<progress>hello"), "hello");
  assert.equal(pt.sanitize("<mark>highlight</mark>"), "highlight");

  cooked("[the answer](javascript:alert(42))", "<p>[the answer](javascript:alert(42))</p>", "it prevents XSS");

  cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i></p>", "it doesn't circumvent XSS with comments");

  cooked("<span class=\"-bbcode-s fa fa-spin\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");
  cooked("<span class=\"fa fa-spin -bbcode-s\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");
  cooked("<span class=\"bbcode-s\">a</span>", "<p><span class=\"bbcode-s\">a</span></p>", "it sanitizes spans");

  cooked("<kbd>Ctrl</kbd>+<kbd>C</kbd>", "<p><kbd>Ctrl</kbd>+<kbd>C</kbd></p>");
  cooked("it has been <strike>1 day</strike> 0 days since our last test failure", "<p>it has been <strike>1 day</strike> 0 days since our last test failure</p>");
  cooked(`it has been <s>1 day</s> 0 days since our last test failure`, `<p>it has been <s>1 day</s> 0 days since our last test failure</p>`);

  cooked(`<div align="center">hello</div>`, `<div align="center">hello</div>`);

  cooked(`1 + 1 is <del>3</del> <ins>2</ins>`, `<p>1 + 1 is <del>3</del> <ins>2</ins></p>`);
  cooked(`<abbr title="JavaScript">JS</abbr>`, `<p><abbr title="JavaScript">JS</abbr></p>`);
  cooked(`<dl><dt>Forum</dt><dd>Software</dd></dl>`, `<dl><dt>Forum</dt><dd>Software</dd></dl>`);
  cooked(`<sup>high</sup> <sub>low</sub> <big>HUGE</big>`, `<p><sup>high</sup> <sub>low</sub> <big>HUGE</big></p>`);

  cooked(`<div dir="rtl">RTL text</div>`, `<div dir="rtl">RTL text</div>`);
});

QUnit.test("ids on headings", assert => {
  const pt = new PrettyText(buildOptions({ siteSettings: {} }));
  assert.equal(pt.sanitize("<h3>Test Heading</h3>"), "<h3>Test Heading</h3>");
  assert.equal(pt.sanitize(`<h1 id="heading--test">Test Heading</h1>`), `<h1 id="heading--test">Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h2 id="heading--cool">Test Heading</h2>`), `<h2 id="heading--cool">Test Heading</h2>`);
  assert.equal(pt.sanitize(`<h3 id="heading--dashed-name">Test Heading</h3>`), `<h3 id="heading--dashed-name">Test Heading</h3>`);
  assert.equal(pt.sanitize(`<h4 id="heading--underscored_name">Test Heading</h4>`), `<h4 id="heading--underscored_name">Test Heading</h4>`);
  assert.equal(pt.sanitize(`<h5 id="heading--trout">Test Heading</h5>`), `<h5 id="heading--trout">Test Heading</h5>`);
  assert.equal(pt.sanitize(`<h6 id="heading--discourse">Test Heading</h6>`), `<h6 id="heading--discourse">Test Heading</h6>`);
});

QUnit.test("poorly formed ids on headings", assert => {
  let pt = new PrettyText(buildOptions({ siteSettings: {} }));
  assert.equal(pt.sanitize(`<h1 id="evil-trout">Test Heading</h1>`), `<h1>Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h1 id="heading--with space">Test Heading</h1>`), `<h1>Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h1 id="heading--with*char">Test Heading</h1>`), `<h1>Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
  assert.equal(pt.sanitize(`<h1 id="test-heading--cool">Test Heading</h1>`), `<h1>Test Heading</h1>`);
});

QUnit.test("urlAllowed", assert => {
  const allowed = (url, msg) => assert.equal(hrefAllowed(url), url, msg);

  allowed("/foo/bar.html", "allows relative urls");
  allowed("http://eviltrout.com/evil/trout", "allows full urls");
  allowed("https://eviltrout.com/evil/trout", "allows https urls");
  allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");

  assert.equal(hrefAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
        "http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf",
        "escape single quotes");
});
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00			`import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text';`
			`import { hrefAllowed } from 'pretty-text/sanitizer';`

Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`QUnit.module("lib:sanitizer");`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`QUnit.test("sanitize", assert => {`
correct spec and allow for zero allowed iframes 2017-09-01 12:08:39 -04:00			`const pt = new PrettyText(buildOptions({ siteSettings: {`
			`"allowed_iframes": 'https://www.google.com/maps/embed?\|https://www.openstreetmap.org/export/embed.html?'`
			`} }));`
Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`const cooked = (input, expected, text) => assert.equal(pt.cook(input), expected.replace(/\/>/g, ">"), text);`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`assert.equal(pt.sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");`
			`assert.equal(pt.sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");`
			`assert.equal(pt.sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");`
			`assert.equal(pt.sanitize("<3 <3"), "<3 <3");`
			`assert.equal(pt.sanitize("<_<"), "<_<");`
Feature: Change markdown engine to markdown it This commit removes the old evilstreak markdownjs engine. - Adds specs to WhiteLister and changes it to stop using globals (Fixes large memory leak) - Fixes edge cases around bbcode handling - Removes mdtest which is no longer valid (to be replaced with CommonMark) - Updates MiniRacer to correct minor unmanaged memory leak - Fixes plugin specs 2017-07-14 08:27:28 -04:00
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00			`cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");`

			`cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",`
			`"<p><a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a></p>",`
			`"we can embed proper links");`

Feature: Change markdown engine to markdown it This commit removes the old evilstreak markdownjs engine. - Adds specs to WhiteLister and changes it to stop using globals (Fixes large memory leak) - Fixes edge cases around bbcode handling - Removes mdtest which is no longer valid (to be replaced with CommonMark) - Updates MiniRacer to correct minor unmanaged memory leak - Fixes plugin specs 2017-07-14 08:27:28 -04:00			`cooked("<center>hello</center>", "hello", "it does not allow centering");`
			`cooked("<blockquote>a\n</blockquote>\n", "<blockquote>a\n</blockquote>", "it does not double sanitize");`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
			`cooked("<iframe src=\"http://discourse.org\" width=\"100\" height=\"42\"></iframe>", "", "it does not allow most iframes");`

			`cooked("<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",`
			`"<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",`
			`"it allows iframe to google maps");`

correct spec and allow for zero allowed iframes 2017-09-01 12:08:39 -04:00			`cooked("<iframe width=\"425\" height=\"350\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\" src=\"https://www.openstreetmap.org/export/embed.html?bbox=22.49454975128174%2C51.220338322410775%2C22.523088455200195%2C51.23345342732931&layer=mapnik\"></iframe>",`
			`"<iframe width=\"425\" height=\"350\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\" src=\"https://www.openstreetmap.org/export/embed.html?bbox=22.49454975128174%2C51.220338322410775%2C22.523088455200195%2C51.23345342732931&layer=mapnik\"></iframe>",`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00			`"it allows iframe to OpenStreetMap");`

Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`assert.equal(pt.sanitize("<textarea>hullo</textarea>"), "hullo");`
			`assert.equal(pt.sanitize("<button>press me!</button>"), "press me!");`
			`assert.equal(pt.sanitize("<canvas>draw me!</canvas>"), "draw me!");`
			`assert.equal(pt.sanitize("<progress>hello"), "hello");`
			`assert.equal(pt.sanitize("<mark>highlight</mark>"), "highlight");`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
Feature: Change markdown engine to markdown it This commit removes the old evilstreak markdownjs engine. - Adds specs to WhiteLister and changes it to stop using globals (Fixes large memory leak) - Fixes edge cases around bbcode handling - Removes mdtest which is no longer valid (to be replaced with CommonMark) - Updates MiniRacer to correct minor unmanaged memory leak - Fixes plugin specs 2017-07-14 08:27:28 -04:00			`cooked("[the answer](javascript:alert(42))", "<p>[the answer](javascript:alert(42))</p>", "it prevents XSS");`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
Feature: Change markdown engine to markdown it This commit removes the old evilstreak markdownjs engine. - Adds specs to WhiteLister and changes it to stop using globals (Fixes large memory leak) - Fixes edge cases around bbcode handling - Removes mdtest which is no longer valid (to be replaced with CommonMark) - Updates MiniRacer to correct minor unmanaged memory leak - Fixes plugin specs 2017-07-14 08:27:28 -04:00			`cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i></p>", "it doesn't circumvent XSS with comments");`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
			`cooked("<span class=\"-bbcode-s fa fa-spin\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");`
			`cooked("<span class=\"fa fa-spin -bbcode-s\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");`
			`cooked("<span class=\"bbcode-s\">a</span>", "<p><span class=\"bbcode-s\">a</span></p>", "it sanitizes spans");`
FIX: Add `kbd` support to the sanitizer 2016-07-05 10:57:41 -04:00
			`cooked("<kbd>Ctrl</kbd>+<kbd>C</kbd>", "<p><kbd>Ctrl</kbd>+<kbd>C</kbd></p>");`
FIX: `<strike>` was no longer whitelisted 2016-07-11 10:28:31 -04:00			`cooked("it has been <strike>1 day</strike> 0 days since our last test failure", "<p>it has been <strike>1 day</strike> 0 days since our last test failure</p>");`
Whitelist some more tags and add extra tests 2016-07-26 11:02:09 -04:00			cooked(`it has been <s>1 day</s> 0 days since our last test failure`, `<p>it has been <s>1 day</s> 0 days since our last test failure</p>`);
FIX: Allow `div align` 2016-07-20 12:39:12 -04:00
			cooked(`<div align="center">hello</div>`, `<div align="center">hello</div>`);
Whitelist some more tags and add extra tests 2016-07-26 11:02:09 -04:00
			cooked(`1 + 1 is <del>3</del> <ins>2</ins>`, `<p>1 + 1 is <del>3</del> <ins>2</ins></p>`);
			cooked(`<abbr title="JavaScript">JS</abbr>`, `<p><abbr title="JavaScript">JS</abbr></p>`);
			cooked(`<dl><dt>Forum</dt><dd>Software</dd></dl>`, `<dl><dt>Forum</dt><dd>Software</dd></dl>`);
FIX: Whitelist the `big` tag 2016-07-29 16:11:18 -04:00			cooked(`<sup>high</sup> <sub>low</sub> <big>HUGE</big>`, `<p><sup>high</sup> <sub>low</sub> <big>HUGE</big></p>`);
FIX: Support `div dir=` in sanitizer 2016-08-15 11:19:10 -04:00
			cooked(`<div dir="rtl">RTL text</div>`, `<div dir="rtl">RTL text</div>`);
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00			`});`

Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`QUnit.test("ids on headings", assert => {`
Support linking to anchored headings in the first post 2016-07-19 17:05:45 -04:00			`const pt = new PrettyText(buildOptions({ siteSettings: {} }));`
Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`assert.equal(pt.sanitize("<h3>Test Heading</h3>"), "<h3>Test Heading</h3>");`
FIX: Headings must begin with `heading--` to avoid some griefing 2017-10-16 11:53:47 -04:00			assert.equal(pt.sanitize(`<h1 id="heading--test">Test Heading</h1>`), `<h1 id="heading--test">Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h2 id="heading--cool">Test Heading</h2>`), `<h2 id="heading--cool">Test Heading</h2>`);
			assert.equal(pt.sanitize(`<h3 id="heading--dashed-name">Test Heading</h3>`), `<h3 id="heading--dashed-name">Test Heading</h3>`);
			assert.equal(pt.sanitize(`<h4 id="heading--underscored_name">Test Heading</h4>`), `<h4 id="heading--underscored_name">Test Heading</h4>`);
			assert.equal(pt.sanitize(`<h5 id="heading--trout">Test Heading</h5>`), `<h5 id="heading--trout">Test Heading</h5>`);
			assert.equal(pt.sanitize(`<h6 id="heading--discourse">Test Heading</h6>`), `<h6 id="heading--discourse">Test Heading</h6>`);
			`});`

			`QUnit.test("poorly formed ids on headings", assert => {`
			`let pt = new PrettyText(buildOptions({ siteSettings: {} }));`
			assert.equal(pt.sanitize(`<h1 id="evil-trout">Test Heading</h1>`), `<h1>Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h1 id="heading--with space">Test Heading</h1>`), `<h1>Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h1 id="heading--with*char">Test Heading</h1>`), `<h1>Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
			assert.equal(pt.sanitize(`<h1 id="test-heading--cool">Test Heading</h1>`), `<h1>Test Heading</h1>`);
Support linking to anchored headings in the first post 2016-07-19 17:05:45 -04:00			`});`

Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`QUnit.test("urlAllowed", assert => {`
			`const allowed = (url, msg) => assert.equal(hrefAllowed(url), url, msg);`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00
			`allowed("/foo/bar.html", "allows relative urls");`
			`allowed("http://eviltrout.com/evil/trout", "allows full urls");`
			`allowed("https://eviltrout.com/evil/trout", "allows https urls");`
			`allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");`

Upgrade QUnit to latest version 2017-06-14 13:57:58 -04:00			`assert.equal(hrefAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),`
REFACTOR: Migrate markdown functionality in ES6 2016-06-14 14:31:51 -04:00			`"http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf",`
			`"escape single quotes");`
			`});`