diff --git a/test/html_test.exs b/test/html_test.exs new file mode 100644 index 000000000..f7150759b --- /dev/null +++ b/test/html_test.exs @@ -0,0 +1,80 @@ +defmodule Pleroma.HTMLTest do + alias Pleroma.HTML + use Pleroma.DataCase + + @html_sample """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ + """ + + @html_onerror_sample """ + + """ + + describe "StripTags scrubber" do + test "works as expected" do + expected = """ + this is in bold + this is a paragraph + this is a linebreak + this is an image: + alert('hacked') + """ + + assert expected == HTML.strip_tags(@html_sample) + end + + test "does not allow attribute-based XSS" do + expected = "\n" + + assert expected == HTML.strip_tags(@html_onerror_sample) + end + end + + describe "TwitterText scrubber" do + test "normalizes HTML as expected" do + expected = """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText) + end + + test "does not allow attribute-based XSS" do + expected = """ + + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText) + end + end + + describe "default scrubber" do + test "normalizes HTML as expected" do + expected = """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default) + end + + test "does not allow attribute-based XSS" do + expected = """ + + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default) + end + end +end