import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text'; import { hrefAllowed } from 'pretty-text/sanitizer'; module("lib:sanitizer"); test("sanitize", function() { const pt = new PrettyText(buildOptions({ siteSettings: {} })); const cooked = (input, expected, text) => equal(pt.cook(input), expected.replace(/\/>/g, ">"), text); equal(pt.sanitize("bug"), "bug"); equal(pt.sanitize("
"), "
"); equal(pt.sanitize("

hello

"), "

hello

"); equal(pt.sanitize("<3 <3"), "<3 <3"); equal(pt.sanitize("<_<"), "<_<"); cooked("hello", "

hello

", "it sanitizes while cooking"); cooked("disney reddit", "

disney reddit

", "we can embed proper links"); cooked("
hello
", "

hello

", "it does not allow centering"); cooked("
hello
\nafter", "

after

", "it does not allow tables"); cooked("
a\n
\n", "
a\n\n
\n\n
", "it does not double sanitize"); cooked("", "", "it does not allow most iframes"); cooked("", "", "it allows iframe to google maps"); cooked("", "", "it allows iframe to OpenStreetMap"); equal(pt.sanitize(""), "hullo"); equal(pt.sanitize(""), "press me!"); equal(pt.sanitize("draw me!"), "draw me!"); equal(pt.sanitize("hello"), "hello"); equal(pt.sanitize("highlight"), "highlight"); cooked("[the answer](javascript:alert(42))", "

the answer

", "it prevents XSS"); cooked("\n", "


", "it doesn't circumvent XSS with comments"); cooked("a", "

a

", "it sanitizes spans"); cooked("a", "

a

", "it sanitizes spans"); cooked("a", "

a

", "it sanitizes spans"); cooked("Ctrl+C", "

Ctrl+C

"); cooked("it has been 1 day 0 days since our last test failure", "

it has been 1 day 0 days since our last test failure

"); cooked(`it has been 1 day 0 days since our last test failure`, `

it has been 1 day 0 days since our last test failure

`); cooked(`
hello
`, `
hello
`); cooked(`1 + 1 is 3 2`, `

1 + 1 is 3 2

`); cooked(`JS`, `

JS

`); cooked(`
Forum
Software
`, `
Forum
Software
`); cooked(`high low HUGE`, `

high low HUGE

`); cooked(`
RTL text
`, `
RTL text
`); }); test("ids on headings", () => { const pt = new PrettyText(buildOptions({ siteSettings: {} })); equal(pt.sanitize("

Test Heading

"), "

Test Heading

"); equal(pt.sanitize(`

Test Heading

`), `

Test Heading

`); equal(pt.sanitize(`

Test Heading

`), `

Test Heading

`); equal(pt.sanitize(`

Test Heading

`), `

Test Heading

`); equal(pt.sanitize(`

Test Heading

`), `

Test Heading

`); equal(pt.sanitize(`
Test Heading
`), `
Test Heading
`); equal(pt.sanitize(`
Test Heading
`), `
Test Heading
`); }); test("urlAllowed", () => { const allowed = (url, msg) => equal(hrefAllowed(url), url, msg); allowed("/foo/bar.html", "allows relative urls"); allowed("http://eviltrout.com/evil/trout", "allows full urls"); allowed("https://eviltrout.com/evil/trout", "allows https urls"); allowed("//eviltrout.com/evil/trout", "allows protocol relative urls"); equal(hrefAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"), "http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf", "escape single quotes"); });