| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>parseHtmlSubset test</title> |
| </head> |
| <body> |
| <script> |
| |
| function parseAndAssertThrows() { |
| var args = arguments; |
| assertThrows(function() { |
| parseHtmlSubset.apply(null, args); |
| }); |
| } |
| |
| function testText() { |
| parseHtmlSubset(''); |
| parseHtmlSubset('abc'); |
| parseHtmlSubset(' '); |
| } |
| |
| function testSupportedTags() { |
| parseHtmlSubset('<b>bold</b>'); |
| parseHtmlSubset('Some <b>bold</b> text'); |
| parseHtmlSubset('Some <strong>strong</strong> text'); |
| parseHtmlSubset('<B>bold</B>'); |
| parseHtmlSubset('Some <B>bold</B> text'); |
| parseHtmlSubset('Some <STRONG>strong</STRONG> text'); |
| } |
| |
| function testInvalidTags() { |
| parseAndAssertThrows('<unknown_tag>x</unknown_tag>'); |
| parseAndAssertThrows('<img>'); |
| parseAndAssertThrows('<script>alert(1)<' + '/script>'); |
| } |
| |
| function testInvalidAttributes() { |
| parseAndAssertThrows('<b onclick="alert(1)">x</b>'); |
| parseAndAssertThrows('<b style="color:red">x</b>'); |
| parseAndAssertThrows('<b foo>x</b>'); |
| parseAndAssertThrows('<b foo=bar></b>'); |
| } |
| |
| function testValidAnchors() { |
| parseHtmlSubset('<a href="https://google.com">Google</a>'); |
| parseHtmlSubset('<a href="chrome://settings">Google</a>'); |
| } |
| |
| function testInvalidAnchorHrefs() { |
| parseAndAssertThrows('<a href="http://google.com">Google</a>'); |
| parseAndAssertThrows('<a href="ftp://google.com">Google</a>'); |
| parseAndAssertThrows('<a href="http/google.com">Google</a>'); |
| parseAndAssertThrows('<a href="javascript:alert(1)">Google</a>'); |
| parseAndAssertThrows('<a href="chrome-extension://whurblegarble">Google</a>'); |
| } |
| |
| function testInvalidAnchorAttributes() { |
| parseAndAssertThrows('<a name=foo>Google</a>'); |
| parseAndAssertThrows( |
| '<a onclick="alert(1)" href="https://google.com">Google</a>'); |
| parseAndAssertThrows('<a foo="bar(1)" href="https://google.com">Google</a>'); |
| } |
| |
| function testAnchorTarget() { |
| var df = parseHtmlSubset( |
| '<a href="https://google.com" target="_blank">Google</a>'); |
| assertEquals('_blank', df.firstChild.target); |
| } |
| |
| function testInvalidTarget() { |
| parseAndAssertThrows('<form target="_evil">', ['form']); |
| parseAndAssertThrows('<iframe target="_evil">', ['iframe']); |
| parseAndAssertThrows('<a href="https://google.com" target="foo">Google</a>'); |
| } |
| |
| function testCustomTags() { |
| parseHtmlSubset('yo <I>ho</i><bR>yo <EM>ho</em>', ['i', 'EM', 'Br']); |
| } |
| |
| function testInvalidCustomTags() { |
| parseAndAssertThrows("a pirate's<script>lifeForMe();<" + '/script>', ['br']); |
| } |
| |
| function testCustomAttributes() { |
| function returnsTruthy(node, value) { |
| assertEquals('A', node.tagName); |
| assertEquals('fancy', value); |
| return true; |
| } |
| parseHtmlSubset('<a class="fancy">I\'m fancy!</a>', null, |
| {class: returnsTruthy}); |
| } |
| |
| function testInvalidCustomAttributes() { |
| function returnsFalsey() { |
| return false; |
| } |
| parseAndAssertThrows('<a class="fancy">I\'m fancy!</a>', null, |
| {class: returnsFalsey}); |
| parseAndAssertThrows('<a class="fancy">I\'m fancy!</a>'); |
| } |
| |
| function testOnErrorAsync(testDoneCalback) { |
| window.called = false; |
| |
| parseAndAssertThrows('<img onerror="window.called = true" src="_.png">'); |
| parseAndAssertThrows('<img src="_.png" onerror="window.called = true">'); |
| |
| window.setTimeout(function() { |
| assertFalse(window.called); |
| testDoneCalback(); |
| }); |
| } |
| |
| </script> |
| |
| </body> |
| </html> |