test/sanitizer_test.html - infra/gerrit-plugins/buildbucket - Git at Google

 <!DOCTYPE html>
 <!--
 Copyright 2021 The Chromium Authors. All rights reserved.
 Use of this source code is governed by a BSD-style license that can be
 found in the LICENSE file.
 -->
 <meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1.0, user-scalable=yes">
 <title>sanitizer tests</title>

 <script src="../node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js"></script>
 <script src="../node_modules/web-component-tester/browser.js"></script>

 <script type="module">
   import {sanitize} from '../src/main/resources/static/sanitizer.js';

   suite('sanitizer', () => {
     test('scripts properly sanitized', () => {
       const cases = [{
         in: '<script src="evil.js"/>',
         out: '',
       }];

       for (const c of cases) {
         assert.strictEqual(sanitize(c.in), c.out);
       }
     });

     test('paragraphs properly sanitized', () => {
       const cases = [
         {
           in: '<p style="font-size: 100">hi</p>',
           out: '<p>hi</p>',
         },
         {
           in: '<P>hi</P>',
           out: '<p>hi</p>',
         },
         {
           in: 'a<br>b',
           out: 'a<br/>b',
         },
       ];

       for (const c of cases) {
         assert.strictEqual(sanitize(c.in), c.out);
       }
     });

     test('lists properly sanitized', () => {
       const cases = [{
         in: '<ul foo="bar"><li x="y">a</li><li>a</li></ul>',
         out: '<ul><li>a</li><li>a</li></ul>',
       }];

       for (const c of cases) {
         assert.strictEqual(sanitize(c.in), c.out);
       }
     });

     test('links properly sanitized', () => {
       const cases = [
         {
           in: '<a href="https://ci.chromium.org/" alt="x">link</a>',
           out: '<a rel="noopener" target="_blank" href="https://ci.chromium.org/" alt="x">link</a>',
         },
         {
           in: '<a href="javascript:evil.js">link</a>',
           out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme">link</a>',
         },
         {
           in: '<a href="about:blank">link</a>',
           out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=disallowed-scheme">link</a>',
         },
         {
           in: '<a href="%">link</a>',
           out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=malformed-url">link</a>',
         },
         {
           in: '<a href="/foo">link</a>',
           out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=malformed-url">link</a>',
         },
         {
           in: '<<a href=abc>',
           out: '&lt;<a rel="noopener" target="_blank" href="about:invalid#sanitized&amp;reason=malformed-url"></a>',
         },
       ];

       for (const c of cases) {
         assert.strictEqual(sanitize(c.in), c.out);
       }
     });

     test('miscellaneous HTML properly sanitized', () => {
       const cases = [
         {
           in: '<div><strong>hello</strong></div>',
           out: '<strong>hello</strong>',
         },
         {
           in: '&lt;',
           out: '&lt;',
         },
         {
           in: '&foobar;',
           out: '&amp;foobar;',
         },
         {
           in: '<div><p>foo</p>',
           out: '<p>foo</p>',
         },
         {
           in: '<p></a alt="blah"></p>',
           out: '<p></p>',
         },
         {
           in: '<p><a>blah</p></a>',
           out: '<p><a rel="noopener" target="_blank">blah</a></p>',
         },
       ];

       for (const c of cases) {
         assert.strictEqual(sanitize(c.in), c.out);
       }
     });
   });
 </script>
	<!DOCTYPE html>
	<!--
	Copyright 2021 The Chromium Authors. All rights reserved.
	Use of this source code is governed by a BSD-style license that can be
	found in the LICENSE file.
	-->
	<meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1.0, user-scalable=yes">
	<title>sanitizer tests</title>

	<script src="../node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js"></script>
	<script src="../node_modules/web-component-tester/browser.js"></script>

	<script type="module">
	import {sanitize} from '../src/main/resources/static/sanitizer.js';

	suite('sanitizer', () => {
	test('scripts properly sanitized', () => {
	const cases = [{
	in: '<script src="evil.js"/>',
	out: '',
	}];

	for (const c of cases) {
	assert.strictEqual(sanitize(c.in), c.out);
	}
	});

	test('paragraphs properly sanitized', () => {
	const cases = [
	{
	in: '<p style="font-size: 100">hi</p>',
	out: '<p>hi</p>',
	},
	{
	in: '<P>hi</P>',
	out: '<p>hi</p>',
	},
	{
	in: 'a<br>b',
	out: 'a<br/>b',
	},
	];

	for (const c of cases) {
	assert.strictEqual(sanitize(c.in), c.out);
	}
	});

	test('lists properly sanitized', () => {
	const cases = [{
	in: '<ul foo="bar"><li x="y">a</li><li>a</li></ul>',
	out: '<ul><li>a</li><li>a</li></ul>',
	}];

	for (const c of cases) {
	assert.strictEqual(sanitize(c.in), c.out);
	}
	});

	test('links properly sanitized', () => {
	const cases = [
	{
	in: '<a href="https://ci.chromium.org/" alt="x">link</a>',
	out: '<a rel="noopener" target="_blank" href="https://ci.chromium.org/" alt="x">link</a>',
	},
	{
	in: '<a href="javascript:evil.js">link</a>',
	out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&reason=disallowed-scheme">link</a>',
	},
	{
	in: '<a href="about:blank">link</a>',
	out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&reason=disallowed-scheme">link</a>',
	},
	{
	in: '<a href="%">link</a>',
	out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&reason=malformed-url">link</a>',
	},
	{
	in: '<a href="/foo">link</a>',
	out: '<a rel="noopener" target="_blank" href="about:invalid#sanitized&reason=malformed-url">link</a>',
	},
	{
	in: '<<a href=abc>',
	out: '<<a rel="noopener" target="_blank" href="about:invalid#sanitized&reason=malformed-url"></a>',
	},
	];

	for (const c of cases) {
	assert.strictEqual(sanitize(c.in), c.out);
	}
	});

	test('miscellaneous HTML properly sanitized', () => {
	const cases = [
	{
	in: '<div><strong>hello</strong></div>',
	out: '<strong>hello</strong>',
	},
	{
	in: '<',
	out: '<',
	},
	{
	in: '&foobar;',
	out: '&foobar;',
	},
	{
	in: '<div><p>foo</p>',
	out: '<p>foo</p>',
	},
	{
	in: '<p></a alt="blah"></p>',
	out: '<p></p>',
	},
	{
	in: '<p><a>blah</p></a>',
	out: '<p><a rel="noopener" target="_blank">blah</a></p>',
	},
	];

	for (const c of cases) {
	assert.strictEqual(sanitize(c.in), c.out);
	}
	});
	});
	</script>