mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-01 23:29:12 +01:00
eaea530d6b
- The library that's being used for org-mode, [doesn't render the status
of list items](https://github.com/niklasfasching/go-org/issues/63).
- Add a modified version of the proposed CSS snippet to still display
the status for the list items. The alternative was parsing HTML and
transforming it, which is too complicated for this small task.
- Resolves https://codeberg.org/Codeberg/Community/issues/1099
(cherry picked from commit 9753c7e4b8)
Refs: https://codeberg.org/forgejo/forgejo/pulls/1071
Co-authored-by: Gusted <postmaster@gusted.xyz>
83 lines
4.2 KiB
Go
83 lines
4.2 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// Copyright 2017 The Gogs Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package markup
|
|
|
|
import (
|
|
"html/template"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func Test_Sanitizer(t *testing.T) {
|
|
NewSanitizer()
|
|
testCases := []string{
|
|
// Regular
|
|
`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`,
|
|
|
|
// Code highlighting class
|
|
`<code class="random string"></code>`, `<code></code>`,
|
|
`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,
|
|
`<code class="language-go"></code>`, `<code class="language-go"></code>`,
|
|
|
|
// Input checkbox
|
|
`<input type="hidden">`, ``,
|
|
`<input type="checkbox">`, `<input type="checkbox">`,
|
|
`<input checked disabled autofocus>`, `<input checked="" disabled="">`,
|
|
|
|
// Code highlight injection
|
|
`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,
|
|
`<code class="language-lol ui tab active menu attached animating sidebar following bar center">
|
|
<code class="language-lol ui container input huge basic segment center"> </code>
|
|
<img src="https://try.gogs.io/img/favicon.png" width="200" height="200">
|
|
<code class="language-lol ui container input massive basic segment">Hello there! Something has gone wrong, we are working on it.</code>
|
|
<code class="language-lol ui container input huge basic segment">In the meantime, play a game with us at <a href="http://example.com/">example.com</a>.</code>
|
|
</code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>",
|
|
|
|
// <kbd> tags
|
|
`<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`,
|
|
`<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`,
|
|
`<i class="icon dropdown"></i>`, `<i class="icon dropdown"></i>`,
|
|
`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,
|
|
`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,
|
|
`<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`,
|
|
|
|
// Color property
|
|
`<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`,
|
|
`<p style="color: red">Hello World</p>`, `<p style="color: red">Hello World</p>`,
|
|
`<code style="color: red">Hello World</code>`, `<code>Hello World</code>`,
|
|
`<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`,
|
|
`<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`,
|
|
`<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,
|
|
|
|
// Org mode status of list items.
|
|
`<li class="checked"></li>`, `<li class="checked"></li>`,
|
|
`<li class="unchecked"></li>`, `<li class="unchecked"></li>`,
|
|
`<li class="indeterminate"></li>`, `<li class="indeterminate"></li>`,
|
|
|
|
// URLs
|
|
`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,
|
|
`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,
|
|
|
|
// Disallow dangerous url schemes
|
|
`<a href="javascript:alert('xss')">bad</a>`, `bad`,
|
|
`<a href="vbscript:no">bad</a>`, `bad`,
|
|
`<a href="data:1234">bad</a>`, `bad`,
|
|
}
|
|
|
|
for i := 0; i < len(testCases); i += 2 {
|
|
assert.Equal(t, testCases[i+1], Sanitize(testCases[i]))
|
|
}
|
|
}
|
|
|
|
func TestSanitizeNonEscape(t *testing.T) {
|
|
descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>"
|
|
|
|
output := template.HTML(Sanitize(descStr))
|
|
if strings.Contains(string(output), "<script>") {
|
|
t.Errorf("un-escaped <script> in output: %q", output)
|
|
}
|
|
}
|