Commit e3223521 authored by rinpatch's avatar rinpatch

Remove tests sanitizing invalid URIs

parent a23fbf1b
Pipeline #19288 failed with stage
in 1 minute and 14 seconds
......@@ -137,30 +137,8 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
@a_href_hacks [
"<a href=\"javascript:alert('XSS');\">text here</a>",
"<a href=javascript:alert('XSS')>text here</a>",
"<a href=JaVaScRiPt:alert('XSS')>text here</a>",
"<a href=javascript:alert(&quot;XSS&quot;)>text here</a>",
"<a href=javascript:alert(String.fromCharCode(88,83,83))>text here</a>",
"<a href=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>text here</a>",
"<a href=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>text here</a>",
"<a href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>text here</a>",
"<a href=\"jav\tascript:alert('XSS');\">text here</a>",
"<a href=\"jav&#x09;ascript:alert('XSS');\">text here</a>",
"<a href=\"jav&#x0A;ascript:alert('XSS');\">text here</a>",
"<a href=\"jav&#x0D;ascript:alert('XSS');\">text here</a>",
"<a href=\" &#14; javascript:alert('XSS');\">text here</a>",
"<a href=\"javascript&#x3a;alert('XSS');\">text here</a>",
"<a href=`javascript:alert(\"RSnake says, 'XSS'\")`>text here</a>",
"<a href=\"javascript&#x3a;alert('XSS');\">text here</a>",
"<a href=\"javascript&#x003a;alert('XSS');\">text here</a>",
"<a href=\"javascript&#x3A;alert('XSS');\">text here</a>",
"<a href=\"javascript&#x003A;alert('XSS');\">text here</a>",
"<a href=\"&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;\">text here</a>",
"<a href=\"JAVASCRIPT:alert(\'foo\')\">text here</a>",
"<a href=\"java<!-- -->script:alert(\'foo\')\">text here</a>",
"<a href=\"awesome.html#this:stuff\">text here</a>",
"<a href=\"java\0&#14;\t\r\n script:alert(\'foo\')\">text here</a>",
"<a href=\"java&#0000001script:alert(\'foo\')\">text here</a>",
"<a href=\"java&#0000000script:alert(\'foo\')\">text here</a>"
"<a href=javascript:alert(String.fromCharCode(88,83,83))>text here</a>"
]
@tag href_scrubbing: true
......@@ -284,17 +262,7 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
"<IMG SRC=javascript:alert('XSS')>",
"<IMG SRC=JaVaScRiPt:alert('XSS')>",
"<IMG SRC=javascript:alert(&quot;XSS&quot;)>",
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
"<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>",
"<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>",
"<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>",
"<IMG SRC=\"jav\tascript:alert('XSS');\">",
"<IMG SRC=\"jav&#x09;ascript:alert('XSS');\">",
"<IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">",
"<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">",
"<IMG SRC=\" &#14; javascript:alert('XSS');\">",
"<IMG SRC=\"javascript&#x3a;alert('XSS');\">",
"<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>"
"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>"
]
test "strips malicious protocol hacks from img src attribute" do
......@@ -332,14 +300,6 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
assert "<img/>" == basic_html_sanitize(input)
end
test "should_not_fall_for_ridiculous_hack" do
img_hack = """
<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>)
"""
assert "<img/>)\n" == basic_html_sanitize(img_hack)
end
test "should_sanitize_within attributes" do
input = "<span title=\"&#39;&gt;&lt;script&gt;alert()&lt;/script&gt;\">blah</span>"
......@@ -374,12 +334,6 @@ defmodule FastSanitize.Sanitizer.BasicHTMLTest do
assert input == basic_html_sanitize(input)
end
test "should_not_crash_on_invalid_schema_formatting" do
input = "<a href=\"http//www.domain.com/?encoded_param=param1%3Aparam2\">text here</a>"
assert "<a>text here</a>" == basic_html_sanitize(input)
end
test "should_not_crash_on_invalid_schema_formatting_2" do
input = "<a href=\"ftp://www.domain.com/http%3A//\">text here</a>"
assert "<a>text here</a>" == basic_html_sanitize(input)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment