122 lines
3.9 KiB
Ruby
122 lines
3.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe Onebox::Preview do
|
|
before do
|
|
stub_request(:get, "https://www.amazon.com/product").to_return(
|
|
status: 200,
|
|
body: onebox_response("amazon"),
|
|
)
|
|
end
|
|
|
|
let(:preview_url) { "http://www.amazon.com/product" }
|
|
let(:preview) { described_class.new(preview_url) }
|
|
|
|
describe "#to_s" do
|
|
before do
|
|
stub_request(
|
|
:get,
|
|
"https://www.amazon.com/Seven-Languages-Weeks-Programming-Programmers/dp/193435659X",
|
|
).to_return(status: 200, body: onebox_response("amazon"))
|
|
end
|
|
|
|
it "returns some html if given a valid url" do
|
|
title =
|
|
"Seven Languages in Seven Weeks: A Pragmatic Guide to Learning Programming Languages (Pragmatic Programmers)"
|
|
expect(preview.to_s).to include(title)
|
|
end
|
|
|
|
it "returns an empty string if the url is not valid" do
|
|
expect(described_class.new("not a url").to_s).to eq("")
|
|
end
|
|
end
|
|
|
|
describe "max_width" do
|
|
let(:iframe_html) do
|
|
'<iframe src="//player.vimeo.com/video/96017582" width="1280" height="720" frameborder="0" title="GO BIG OR GO HOME" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>'
|
|
end
|
|
|
|
it "doesn't change dimensions without an option" do
|
|
iframe = described_class.new(preview_url)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"1280\"")
|
|
expect(result).to include("height=\"720\"")
|
|
end
|
|
|
|
it "doesn't change dimensions if it is smaller than `max_width`" do
|
|
iframe = described_class.new(preview_url, max_width: 2000)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"1280\"")
|
|
expect(result).to include("height=\"720\"")
|
|
end
|
|
|
|
it "changes dimensions if larger than `max_width`" do
|
|
iframe = described_class.new(preview_url, max_width: 900)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"900\"")
|
|
expect(result).to include("height=\"506\"")
|
|
end
|
|
end
|
|
|
|
describe "#engine" do
|
|
let(:preview_image_url) { "http://www.example.com/image/without/file_extension" }
|
|
let(:preview_image) { described_class.new(preview_image_url, content_type: "image/png") }
|
|
|
|
it "returns an engine" do
|
|
expect(preview.send(:engine)).to be_an(Onebox::Engine)
|
|
end
|
|
|
|
it "can match based on content_type" do
|
|
expect(preview_image.send(:engine)).to be_an(Onebox::Engine::ImageOnebox)
|
|
end
|
|
end
|
|
|
|
describe "xss" do
|
|
let(:xss) { "wat' onerror='alert(/XSS/)" }
|
|
let(:img_html) { "<img src='#{xss}'>" }
|
|
|
|
it "prevents XSS" do
|
|
preview = described_class.new(preview_url)
|
|
preview.stubs(:engine_html).returns(img_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).not_to match(/onerror/)
|
|
end
|
|
end
|
|
|
|
describe "iframe sanitizer" do
|
|
let(:iframe_html) { "<iframe src='https://thirdparty.example.com'>" }
|
|
|
|
it "sanitizes iframes from unknown origins" do
|
|
preview = described_class.new(preview_url)
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).not_to include(' src="https://thirdparty.example.com"')
|
|
expect(result).to include(' data-unsanitized-src="https://thirdparty.example.com"')
|
|
end
|
|
|
|
it "allows allowed origins" do
|
|
preview =
|
|
described_class.new(preview_url, allowed_iframe_origins: ["https://thirdparty.example.com"])
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).to include ' src="https://thirdparty.example.com"'
|
|
end
|
|
|
|
it "allows wildcard allowed origins" do
|
|
preview = described_class.new(preview_url, allowed_iframe_origins: ["https://*.example.com"])
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).to include ' src="https://thirdparty.example.com"'
|
|
end
|
|
end
|
|
end
|