Commit 321dac7e authored by Jeroen Hoffman's avatar Jeroen Hoffman

HHP-27 add unit tests for cleaning regular data: value

parent 6994c1bd
......@@ -185,51 +185,76 @@ public class WhitelistHtmlFilterTest {
public void testCleanJavascriptProtocolArgumentTrue() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
addToWhitelist(Element.create("a", "href", "onclick"));
// src attribute contains javascript:
TagNode result = filterHtml("<a href=\"#\" onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
TagNode a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("", a.getAttributeByName("onclick"));
// src attribute contains javascript: + space
result = filterHtml("<a href=\"#\" onclick=\"javascript: lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("", a.getAttributeByName("onclick"));
}
@Test
public void testCleanJavascriptProtocolArgumentFalse() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), false);
addToWhitelist(Element.create("a", "href", "onclick"));
final TagNode result = filterHtml("<a href=\"#\" onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
// src attribute contains javascript
// src attribute contains javascript:
final TagNode a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("", a.getAttributeByName("onclick"));
assertEquals("javascript:lancerPu('XXXcodepuXXX')", a.getAttributeByName("onclick"));
}
@Test
public void testCleanJavascriptProtocolArgumentNewLine() throws Exception {
public void testCleanJavascriptProtocolNewLine() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
addToWhitelist(Element.create("a", "href"));
// check new lines
TagNode result = filterHtml("<a href=\"jav&#x0A;ascript:alert('XSS');\">test</a>");
TagNode result = filterHtml("<a href=\"jav&#x0A;ascript:alert('XSS');\">test</a>");
TagNode a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("", a.getAttributeByName("href"));
result = filterHtml("<a href=\"javascript\n:alert('XSS');\">test</a>");
result = filterHtml("<a href=\"javascript\n:alert('XSS');\">test</a>");
a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("javascript :alert('XSS');", a.getAttributeByName("href"));
}
} @Test
public void testCleanDataProtocolArgumentNewLine() throws Exception {
@Test
public void testCleanDataProtocol() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
addToWhitelist(Element.create("a", "href"));
// check new lines
TagNode result = filterHtml("<a href=\"data\n:testData\">data</a>");
// href attribute contains data:
TagNode result = filterHtml("<a href=\"data:testData\">data</a>");
TagNode a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("data :testData", a.getAttributeByName("href"));
assertEquals("", a.getAttributeByName("href"));
// href attribute contains data: + space
result = filterHtml("<a href=\"data: testData\">data</a>");
a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("", a.getAttributeByName("href"));
}
@Test
public void testCleanJavascriptProtocolArgumentFalse() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), false);
addToWhitelist(Element.create("a", "href", "onclick"));
final TagNode result = filterHtml("<a href=\"#\" onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
// src attribute contains javascript
final TagNode a = result.findElementByName("a", true);
public void testCleanDataProtocolNewLine() throws Exception {
filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
addToWhitelist(Element.create("a", "href"));
// check new lines
TagNode result = filterHtml("<a href=\"data\n:testData\">data</a>");
TagNode a = result.findElementByName("a", true);
assertNotNull(a);
assertEquals("javascript:lancerPu('XXXcodepuXXX')", a.getAttributeByName("onclick"));
assertEquals("data :testData", a.getAttributeByName("href"));
}
private TagNode filterHtml(final String html) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment