diff options
Diffstat (limited to 'reader/sanitizer/sanitizer_test.go')
| -rw-r--r-- | reader/sanitizer/sanitizer_test.go | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/reader/sanitizer/sanitizer_test.go b/reader/sanitizer/sanitizer_test.go new file mode 100644 index 0000000..73862d3 --- /dev/null +++ b/reader/sanitizer/sanitizer_test.go @@ -0,0 +1,144 @@ +// Copyright 2017 Frédéric Guillot. All rights reserved. +// Use of this source code is governed by the Apache 2.0 +// license that can be found in the LICENSE file. + +package sanitizer + +import "testing" + +func TestValidInput(t *testing.T) { + input := `<p>This is a <strong>text</strong> with an image: <img src="http://example.org/" alt="Test">.</p>` + output := Sanitize("http://example.org/", input) + + if input != output { + t.Errorf(`Wrong output: "%s" != "%s"`, input, output) + } +} + +func TestSelfClosingTags(t *testing.T) { + input := `<p>This <br> is a <strong>text</strong> <br/>with an image: <img src="http://example.org/" alt="Test"/>.</p>` + output := Sanitize("http://example.org/", input) + + if input != output { + t.Errorf(`Wrong output: "%s" != "%s"`, input, output) + } +} + +func TestTable(t *testing.T) { + input := `<table><tr><th>A</th><th colspan="2">B</th></tr><tr><td>C</td><td>D</td><td>E</td></tr></table>` + output := Sanitize("http://example.org/", input) + + if input != output { + t.Errorf(`Wrong output: "%s" != "%s"`, input, output) + } +} + +func TestRelativeURL(t *testing.T) { + input := `This <a href="/test.html">link is relative</a> and this image: <img src="../folder/image.png"/>` + expected := `This <a href="http://example.org/test.html" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">link is relative</a> and this image: <img src="http://example.org/folder/image.png"/>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestProtocolRelativeURL(t *testing.T) { + input := `This <a href="//static.example.org/index.html">link is relative</a>.` + expected := `This <a href="https://static.example.org/index.html" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">link is relative</a>.` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestInvalidTag(t *testing.T) { + input := `<p>My invalid <b>tag</b>.</p>` + expected := `<p>My invalid tag.</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestVideoTag(t *testing.T) { + input := `<p>My valid <video src="videofile.webm" autoplay poster="posterimage.jpg">fallback</video>.</p>` + expected := `<p>My valid <video src="http://example.org/videofile.webm" poster="http://example.org/posterimage.jpg" controls>fallback</video>.</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestAudioAndSourceTag(t *testing.T) { + input := `<p>My music <audio controls="controls"><source src="foo.wav" type="audio/wav"></audio>.</p>` + expected := `<p>My music <audio controls><source src="http://example.org/foo.wav" type="audio/wav"></audio>.</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestUnknownTag(t *testing.T) { + input := `<p>My invalid <unknown>tag</unknown>.</p>` + expected := `<p>My invalid tag.</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestInvalidNestedTag(t *testing.T) { + input := `<p>My invalid <b>tag with some <em>valid</em> tag</b>.</p>` + expected := `<p>My invalid tag with some <em>valid</em> tag.</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestInvalidIFrame(t *testing.T) { + input := `<iframe src="http://example.org/"></iframe>` + expected := `` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestInvalidURLScheme(t *testing.T) { + input := `<p>This link is <a src="file:///etc/passwd">not valid</a></p>` + expected := `<p>This link is not valid</p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestBlacklistedLink(t *testing.T) { + input := `<p>This image is not valid <img src="https://stats.wordpress.com/some-tracker"></p>` + expected := `<p>This image is not valid </p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} + +func TestPixelTracker(t *testing.T) { + input := `<p><img src="https://tracker1.example.org/" height="1" width="1"> and <img src="https://tracker2.example.org/" height="1" width="1"/></p>` + expected := `<p> and </p>` + output := Sanitize("http://example.org/", input) + + if expected != output { + t.Errorf(`Wrong output: "%s" != "%s"`, expected, output) + } +} |