2013-11-05 16:37:50 +00:00
|
|
|
var sanitize = require('../lib/xss');
|
|
|
|
var sanitizeHTML = sanitize.sanitizeHTML;
|
|
|
|
var sanitizeText = sanitize.sanitizeText;
|
|
|
|
var decodeText = sanitize.decodeText;
|
2013-10-31 05:39:35 +00:00
|
|
|
var assert = require('assert');
|
2013-11-05 16:37:50 +00:00
|
|
|
var failed = 0;
|
2013-10-31 05:39:35 +00:00
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
function doTest(s, src, expected) {
|
|
|
|
try {
|
|
|
|
assert(s(src) === expected);
|
|
|
|
} catch (e) {
|
|
|
|
failed++;
|
|
|
|
console.log("Expected '" + expected + "'");
|
|
|
|
console.log("Got '" + s(src) + "'");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function testSanitizeHTML() {
|
|
|
|
doTest(sanitizeHTML, "< script src = bad.js>blah</script>", "[tag removed]blah[tag removed]");
|
|
|
|
|
|
|
|
doTest(sanitizeHTML, "< img src=asdf onerror='alert(\"xss\")'>", "<img src=\"asdf\">");
|
2013-10-31 05:39:35 +00:00
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
doTest(sanitizeHTML, "<a href='javascript:alert(document.cookie)'>", "<a href=\"[removed]:[removed]([removed])\">");
|
2013-10-31 05:39:35 +00:00
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
doTest(sanitizeHTML, "<a ", "<a>");
|
2013-10-31 05:48:01 +00:00
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
doTest(sanitizeHTML, "<img src=\"<a href=\"javascript:void(0)\">>", "<img src=\"<a href=\" javascriptvoid0>>");
|
|
|
|
}
|
|
|
|
|
|
|
|
function testSanitizeText() {
|
|
|
|
doTest(sanitizeText, "<a href=\"#\" onerror=\"javascript:alert('xss')\">", "<a href="#" onerror="javascript:alert('xss')">");
|
|
|
|
doTest(sanitizeText, "<>&"ç	", "&lt;&gt;&amp;&quot;&ccedil;&#x09");
|
|
|
|
}
|
2013-10-31 05:48:01 +00:00
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
function testDecode() {
|
|
|
|
doTest(decodeText, "<a href="#" onerror="javascript:alert('xss')">", "<a href=\"#\" onerror=\"javascript:alert('xss')\">");
|
|
|
|
doTest(decodeText, "&lt;&gt;&amp;&quot;&ccedil;&#x09", "<>&"ç	");
|
2013-10-31 05:39:35 +00:00
|
|
|
}
|
|
|
|
|
2013-11-05 16:37:50 +00:00
|
|
|
testSanitizeHTML();
|
|
|
|
testSanitizeText();
|
|
|
|
testDecode();
|
|
|
|
if (!failed)
|
|
|
|
console.log("Tests passed.");
|
|
|
|
else
|
|
|
|
console.log(""+failed, "tests failed");
|