/** * @license * Copyright Google Inc. All Rights Reserved. * * Use of this source code is governed by an MIT-style license that can be * found in the LICENSE file at https://angular.io/license */ import {browserDetection} from '@angular/platform-browser/testing/src/browser_util'; import {getDOM} from '../../src/dom/dom_adapter'; import {sanitizeHtml} from '../../src/security/html_sanitizer'; { describe('HTML sanitizer', () => { let defaultDoc: any; let originalLog: (msg: any) => any = null !; let logMsgs: string[]; beforeEach(() => { defaultDoc = getDOM().supportsDOMEvents() ? document : getDOM().createHtmlDocument(); logMsgs = []; originalLog = getDOM().log; // Monkey patch DOM.log. getDOM().log = (msg) => logMsgs.push(msg); }); afterEach(() => { getDOM().log = originalLog; }); it('serializes nested structures', () => { expect(sanitizeHtml(defaultDoc, '

a

bcde
')) .toEqual('

a

bcde
'); expect(logMsgs).toEqual([]); }); it('serializes self closing elements', () => { expect(sanitizeHtml(defaultDoc, '

Hello
World

')) .toEqual('

Hello
World

'); }); it('supports namespaced elements', () => { expect(sanitizeHtml(defaultDoc, 'abc')).toEqual('abc'); }); it('supports namespaced attributes', () => { expect(sanitizeHtml(defaultDoc, 't')) .toEqual('t'); expect(sanitizeHtml(defaultDoc, 't')).toEqual('t'); expect(sanitizeHtml(defaultDoc, 't')) .toEqual('t'); }); it('supports HTML5 elements', () => { expect(sanitizeHtml(defaultDoc, '
Works
')) .toEqual('
Works
'); }); it('sanitizes srcset attributes', () => { expect(sanitizeHtml(defaultDoc, '')) .toEqual(''); }); it('supports sanitizing plain text', () => { expect(sanitizeHtml(defaultDoc, 'Hello, World')).toEqual('Hello, World'); }); it('ignores non-element, non-attribute nodes', () => { expect(sanitizeHtml(defaultDoc, 'no.')).toEqual('no.'); expect(sanitizeHtml(defaultDoc, 'no.')).toEqual('no.'); expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/); }); it('supports sanitizing escaped entities', () => { expect(sanitizeHtml(defaultDoc, '🚀')).toEqual('🚀'); expect(logMsgs).toEqual([]); }); it('does not warn when just re-encoding text', () => { expect(sanitizeHtml(defaultDoc, '

Hellö Wörld

')) .toEqual('

Hellö Wörld

'); expect(logMsgs).toEqual([]); }); it('escapes entities', () => { expect(sanitizeHtml(defaultDoc, '

Hello < World

')) .toEqual('

Hello < World

'); expect(sanitizeHtml(defaultDoc, '

Hello < World

')).toEqual('

Hello < World

'); expect(sanitizeHtml(defaultDoc, '

Hello

')) .toEqual('

Hello

'); // NB: quote encoded as ASCII ". }); describe('should strip dangerous elements', () => { const dangerousTags = [ 'frameset', 'form', 'param', 'object', 'embed', 'textarea', 'input', 'button', 'option', 'select', 'script', 'style', 'link', 'base', 'basefont' ]; for (const tag of dangerousTags) { it(`${tag}`, () => { expect(sanitizeHtml(defaultDoc, `<${tag}>evil!`)).toEqual('evil!'); }); } it(`swallows frame entirely`, () => { expect(sanitizeHtml(defaultDoc, `evil!`)).not.toContain(''); }); }); describe('should strip dangerous attributes', () => { const dangerousAttrs = ['id', 'name', 'style']; for (const attr of dangerousAttrs) { it(`${attr}`, () => { expect(sanitizeHtml(defaultDoc, `evil!`)).toEqual('evil!'); }); } }); it('should not enter an infinite loop on clobbered elements', () => { // Some browsers are vulnerable to clobbered elements and will throw an expected exception // IE and EDGE does not seems to be affected by those cases // Anyway what we want to test is that browsers do not enter an infinite loop which would // result in a timeout error for the test. try { sanitizeHtml(defaultDoc, '
'); } catch (e) { // depending on the browser, we might ge an exception } try { sanitizeHtml(defaultDoc, '
'); } catch (e) { // depending on the browser, we might ge an exception } try { sanitizeHtml(defaultDoc, '
'); } catch (e) { // depending on the browser, we might ge an exception } }); if (browserDetection.isWebkit) { it('should prevent mXSS attacks', function() { // In Chrome Canary 62, the ideographic space character is kept as a stringified HTML entity expect(sanitizeHtml(defaultDoc, 'CLICKME')) .toMatch(/CLICKME<\/a>/); }); } }); }