diff options
author | Peter De Wachter <pdewacht@gmail.com> | 2019-08-14 09:33:54 +0200 |
---|---|---|
committer | Frédéric Guillot <fred@miniflux.net> | 2019-08-15 21:39:41 -0700 |
commit | ea2b6e3608624a2a14af1956a3ad0035b7fb09f0 (patch) | |
tree | 693bda6a0522c069ec6cff94db9c9a9eabc82d42 /reader/rewrite/rewriter_test.go | |
parent | 3a39d110f0f2a3e976df1e810a861c602a634d14 (diff) |
addImageTitle: Fix HTML injection
This rewrite rule would change this:
<img title="<foo>">
to this:
<figure><img><figcaption><foo></figcaption></figure>
The image title needs to be properly escaped.
Diffstat (limited to 'reader/rewrite/rewriter_test.go')
-rw-r--r-- | reader/rewrite/rewriter_test.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/reader/rewrite/rewriter_test.go b/reader/rewrite/rewriter_test.go index fe37b53..9bd83e8 100644 --- a/reader/rewrite/rewriter_test.go +++ b/reader/rewrite/rewriter_test.go @@ -61,6 +61,15 @@ func TestRewriteWithXkcdLink(t *testing.T) { } } +func TestRewriteWithXkcdLinkHtmlInjection(t *testing.T) { + description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" title="<foo>" alt="<foo>" />` + output := Rewriter("https://xkcd.com/1912/", description, ``) + expected := `<figure><img src="https://imgs.xkcd.com/comics/thermostat.png" alt="<foo>"/><figcaption><p><foo></p></figcaption></figure>` + if expected != output { + t.Errorf(`Not expected output: got "%s" instead of "%s"`, output, expected) + } +} + func TestRewriteWithXkcdLinkAndImageNoTitle(t *testing.T) { description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" alt="Your problem is so terrible, I worry that, if I help you, I risk drawing the attention of whatever god of technology inflicted it on you." />` output := Rewriter("https://xkcd.com/1912/", description, ``) |