// Copyright (c) 2014, David Kitchen // // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // * Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // * Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // * Neither the name of the organisation (Microcosm) nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. package bluemonday import "testing" func TestStrictPolicy(t *testing.T) { p := StrictPolicy() tests := []test{ { in: "Hello, World!", expected: "Hello, World!", }, { in: "

Hello, World!", expected: "Hello, World!", }, { // Real world example from a message board in: `email me - addy in profile`, expected: `email me - addy in profile`, }, {}, } for ii, test := range tests { out := p.Sanitize(test.in) if out != test.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, test.in, out, test.expected, ) } } } func TestUGCPolicy(t *testing.T) { tests := []test{ // Simple formatting {in: "Hello, World!", expected: "Hello, World!"}, {in: "Hello, World!", expected: "Hello, World!"}, // Blocks and formatting { in: "
Hello, World!
", expected: "
Hello, World!
", }, { in: "
Hello, World!
", expected: "
Hello, World!
", }, // Inline tags featuring globals { in: `Hello, World!`, expected: `Hello, World!`, }, { in: `Hello, World!`, expected: `Hello, World!`, }, // Images { in: `foo`, expected: `foo`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, // Anchors { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Link text`, expected: `Link text`, }, { in: `Header text`, expected: `Header text`, }, // Image map and links { in: ``, expected: ``, }, // Tables { in: `` + `` + `` + `` + `` + `` + `` + `` + `` + `` + `
Column One Column Two
` + `Size 2 ` + `Size 7
`, expected: "" + `` + `` + `` + `` + `` + `` + `` + `` + `` + `` + `
Column One Column Two
Size 2 Size 7
`, }, // Ordering { in: `xssgoogle`, expected: `xssgoogle`, }, // OWASP 25 June 2014 09:15 Strange behaviour { in: "Hallo\r\n\nEnde\n\r", expected: "
Hallo\n\nEnde\n\n", }, } p := UGCPolicy() for ii, test := range tests { out := p.Sanitize(test.in) if out != test.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, test.in, out, test.expected, ) } } }