Commit 1cb0756a authored by rinpatch's avatar rinpatch

to_html: Do not add a space before > if the tag has no attributes

A space would have been added before >, but only if the tag had no
attributes. This commit makes the behavior more consistent by not adding a space
before > both when there are no attributes and when there are attributes.
parent 4e1febc1
Pipeline #19194 failed with stage
in 1 minute and 42 seconds
......@@ -3,23 +3,29 @@ defmodule FastSanitize.Fragment do
def to_tree(bin) do
with {:html, _, [{:head, _, _}, {:body, _, fragment}]} <-
Myhtmlex.decode(bin, format: [:html_atoms, :nil_self_closing, :comment_tuple3]) do
Myhtmlex.decode(bin, format: [:nil_self_closing, :comment_tuple3, :html_atoms]) do
{:ok, fragment}
else
e -> {:error, e}
e ->
{:error, e}
end
end
defp build_attr_chunks([]) do
""
end
defp build_attr_chunks(attrs) do
Enum.map(attrs, fn {k, v} ->
"#{html_escape(k)}=\"#{html_escape(v)}\""
end)
|> Enum.join(" ")
" " <>
(Enum.map(attrs, fn {k, v} ->
"#{html_escape(k)}=\"#{html_escape(v)}\""
end)
|> Enum.join(" "))
end
defp build_start_tag(tag, attrs, nil), do: "<#{tag} #{build_attr_chunks(attrs)}/>"
defp build_start_tag(tag, attrs, nil), do: "<#{tag}#{build_attr_chunks(attrs)}/>"
defp build_start_tag(tag, attrs, _children) when length(attrs) == 0, do: "<#{tag}>"
defp build_start_tag(tag, attrs, _children), do: "<#{tag} #{build_attr_chunks(attrs)}>"
defp build_start_tag(tag, attrs, _children), do: "<#{tag}#{build_attr_chunks(attrs)}>"
# empty tuple - fragment was clobbered, return nothing
defp fragment_to_html({}), do: ""
......
......@@ -298,7 +298,7 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
]
test "strips malicious protocol hacks from img src attribute" do
expected = "<img />"
expected = "<img/>"
Enum.each(@image_src_hacks, fn x ->
assert expected == basic_html_sanitize(x)
......@@ -313,7 +313,7 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
test "strips xss image hack with uppercase tags" do
input = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"
expected = "<img />alert(&quot;XSS&quot;)&quot;&gt;"
expected = "<img/>alert(&quot;XSS&quot;)&quot;&gt;"
assert expected == basic_html_sanitize(input)
end
......@@ -329,7 +329,7 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
test "sanitize half open scripts" do
input = "<IMG SRC=\"javascript:alert('XSS')\""
assert "<img />" == basic_html_sanitize(input)
assert "<img/>" == basic_html_sanitize(input)
end
test "should_not_fall_for_ridiculous_hack" do
......@@ -337,7 +337,7 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>)
"""
assert "<img />)\n" == basic_html_sanitize(img_hack)
assert "<img/>)\n" == basic_html_sanitize(img_hack)
end
test "should_sanitize_within attributes" do
......@@ -355,17 +355,17 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
end
test "should_sanitize_invalid_tag_names_in_single_tags" do
assert "<img />" ==
assert "<img/>" ==
basic_html_sanitize("<img/src=\"javascript:alert('XSS')\"/>")
end
test "should_sanitize_img_dynsrc_lowsrc" do
assert "<img />" ==
assert "<img/>" ==
basic_html_sanitize("<img lowsrc=\"javascript:alert('XSS')\" />")
end
test "should_sanitize_img_vbscript" do
assert "<img />" ==
assert "<img/>" ==
basic_html_sanitize("<img src='vbscript:msgbox(\"XSS\")' />")
end
......
......@@ -17,7 +17,7 @@ defmodule FastSanitize.Fragment.Test do
test "it works for simple fragment trees with atypical tags" do
tree = [{:br, [], nil}, {:hr, [], nil}]
{:ok, "<br /><hr />"} = FastSanitize.Fragment.to_html(tree)
{:ok, "<br/><hr/>"} = FastSanitize.Fragment.to_html(tree)
end
test "it works for simple fragment trees with non-terminating tags" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment