goog.labs.html.sanitizer_test.js Maven / Gradle / Ivy
// Copyright 2013 The Closure Library Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS-IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
goog.provide('goog.labs.html.SanitizerTest');
goog.require('goog.html.SafeUrl');
goog.require('goog.labs.html.Sanitizer');
goog.require('goog.string');
goog.require('goog.string.Const');
goog.require('goog.testing.jsunit');
goog.setTestOnly('goog.labs.html.SanitizerTest');
var JENNYS_PHONE_NUMBER =
goog.html.SafeUrl.fromConstant(goog.string.Const.from('tel:867-5309'));
var sanitizer =
new goog.labs.html.Sanitizer()
.allowElements(
'a', 'b', 'i', 'p', 'font', 'hr', 'br', 'span', 'ol', 'ul', 'li',
'table', 'tr', 'td', 'th', 'tbody', 'h1', 'h2', 'h3', 'h4', 'h5',
'h6', 'img', 'html', 'head', 'body', 'title')
// allow unfiltered title attributes, and
.allowAttributes('*', 'title')
// specific dir values.
.allowAttributes(
'*', 'dir',
function(dir) {
return dir === 'ltr' || dir === 'rtl' ? dir : null;
})
.allowAttributes(
// Specifically on elements,
'a',
// allow an href but verify and rewrite, and
'href',
function(href) {
if (href === 'tel:867-5309') {
return JENNYS_PHONE_NUMBER;
}
// Missing anchor is an intentional error.
return /https?:\/\/google\.[a-z]{2,3}\/search\?/.test(
String(href)) ?
href :
null;
})
.allowAttributes(
'a',
// mask the generic title handler for no good reason.
'title', function(title) { return '<' + title + '>'; });
function run(input, golden, desc) {
var actual = sanitizer.sanitize(input);
assertEquals(desc, golden, actual);
}
function testEmptyString() {
run('', '', 'Empty string');
}
function testHelloWorld() {
run('Hello, World!', 'Hello, World!', 'Hello World');
}
function testNoEndTag() {
run('Hello, World!', 'Hello, World!',
'Hello World no end tag');
}
function testUnclosedTags() {
run('Hello, <>! ' +
'Hello,
<>!',
'Hello, <>! ' +
'Hello,
<>!
',
'RCDATA content, different case, unclosed tags');
}
function testListInList() {
run('- foo
- bar
',
'- foo
- bar
',
'list in list directly');
}
function testHeaders() {
run('header
body' +
'sub-headersub-body' +
'sub-sub-header
sub-sub-body
',
'header
body' +
'sub-header
sub-body' +
'sub-sub-header
sub-sub-body',
'headers');
}
function testListNesting() {
run('- foo
- bar',
'
- foo
- bar
',
'list nesting');
}
function testTableNesting() {
run('foo bar
',
'foo ' +
'bar
' +
'
',
'table nesting');
}
function testNestingLimit() {
run(goog.string.repeat('', 264) + goog.string.repeat('', 264),
goog.string.repeat('', 256) + goog.string.repeat('', 256),
'264 open spans');
}
function testTableScopes() {
run('Hi
How are you
\n' +
'' +
'Cell
\n ' +
'Cell
\n ' +
'
\n' +
'x
',
'Hi
How are you
\n' +
'' +
'Cell
\n ' +
// The close tag does not close the whole table. +
'Cell
\n ' +
'
\n' +
'x
',
'Table Scopes');
}
function testConcatSafe() {
run('<