diff options
| author | Kyle Tsang <[email protected]> | 2023-04-30 14:33:09 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2023-05-01 00:33:09 +0300 |
| commit | d5dee316f7f53521e7ece23f10200fe566b9c565 (patch) | |
| tree | a90564dfe6ed593afb3c51a24f05aba7b95163e5 /js/tests/unit | |
| parent | a06c2e6b5f8cd3debdd8b9bd2765681aba8680ad (diff) | |
| download | bootstrap-d5dee316f7f53521e7ece23f10200fe566b9c565.tar.xz bootstrap-d5dee316f7f53521e7ece23f10200fe566b9c565.zip | |
Update URL sanitizer to allow more protocols (#38531)
Co-authored-by: XhmikosR <[email protected]>
Diffstat (limited to 'js/tests/unit')
| -rw-r--r-- | js/tests/unit/util/sanitizer.spec.js | 78 |
1 files changed, 68 insertions, 10 deletions
diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js index 55e9b6336..2b21ef2e1 100644 --- a/js/tests/unit/util/sanitizer.spec.js +++ b/js/tests/unit/util/sanitizer.spec.js @@ -10,17 +10,75 @@ describe('Sanitizer', () => { expect(result).toEqual(empty) }) - it('should sanitize template by removing tags with XSS', () => { - const template = [ - '<div>', - ' <a href="javascript:alert(7)">Click me</a>', - ' <span>Some content</span>', - '</div>' - ].join('') - - const result = sanitizeHtml(template, DefaultAllowlist, null) + it('should retain tags with valid URLs', () => { + const validUrls = [ + '', + 'http://abc', + 'HTTP://abc', + 'https://abc', + 'HTTPS://abc', + 'ftp://abc', + 'FTP://abc', + 'mailto:[email protected]', + 'MAILTO:[email protected]', + 'tel:123-123-1234', + 'TEL:123-123-1234', + 'sip:[email protected]', + 'SIP:[email protected]', + '#anchor', + '/page1.md', + 'http://JavaScript/my.js', + 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', // Truncated. + 'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', + 'data:audio/opus;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', + 'unknown-scheme:abc' + ] + + for (const url of validUrls) { + const template = [ + '<div>', + ` <a href="${url}">Click me</a>`, + ' <span>Some content</span>', + '</div>' + ].join('') + + const result = sanitizeHtml(template, DefaultAllowlist, null) + + expect(result).toContain(`href="${url}"`) + } + }) - expect(result).not.toContain('href="javascript:alert(7)') + it('should sanitize template by removing tags with XSS', () => { + const invalidUrls = [ + // eslint-disable-next-line no-script-url + 'javascript:alert(7)', + // eslint-disable-next-line no-script-url + 'javascript:evil()', + // eslint-disable-next-line no-script-url + 'JavaScript:abc', + ' javascript:abc', + ' \n Java\n Script:abc', + 'javascript:', + 'javascript:', + 'j avascript:', + 'javascript:', + 'javascript:', + 'jav	ascript:alert();', + 'jav\u0000ascript:alert();' + ] + + for (const url of invalidUrls) { + const template = [ + '<div>', + ` <a href="${url}">Click me</a>`, + ' <span>Some content</span>', + '</div>' + ].join('') + + const result = sanitizeHtml(template, DefaultAllowlist, null) + + expect(result).not.toContain(`href="${url}"`) + } }) it('should sanitize template and work with multiple regex', () => { |