mirror of
https://github.com/go-gitea/gitea
synced 2024-12-29 18:04:37 +01:00
8a20fba8eb
Remove unmaintainable sanitizer rules. No need to add special "class" regexp rules anymore, use RenderInternal.SafeAttr instead, more details (and examples) are in the tests
61 lines
1.9 KiB
Go
61 lines
1.9 KiB
Go
// Copyright 2024 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package internal
|
|
|
|
import (
|
|
"bytes"
|
|
"html/template"
|
|
"io"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestRenderInternal(t *testing.T) {
|
|
cases := []struct {
|
|
input, protected, recovered string
|
|
}{
|
|
{
|
|
input: `<div class="test">class="content"</div>`,
|
|
protected: `<div data-attr-class="sec:test">class="content"</div>`,
|
|
recovered: `<div class="test">class="content"</div>`,
|
|
},
|
|
{
|
|
input: "<div\nclass=\"test\" data-xxx></div>",
|
|
protected: `<div data-attr-class="sec:test" data-xxx></div>`,
|
|
recovered: `<div class="test" data-xxx></div>`,
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
var r RenderInternal
|
|
out := &bytes.Buffer{}
|
|
in := r.init("sec", out)
|
|
protected := r.ProtectSafeAttrs(template.HTML(c.input))
|
|
assert.EqualValues(t, c.protected, protected)
|
|
_, _ = io.WriteString(in, string(protected))
|
|
_ = in.Close()
|
|
assert.EqualValues(t, c.recovered, out.String())
|
|
}
|
|
|
|
var r1, r2 RenderInternal
|
|
protected := r1.ProtectSafeAttrs(`<div class="test"></div>`)
|
|
assert.EqualValues(t, `<div class="test"></div>`, protected, "non-initialized RenderInternal should not protect any attributes")
|
|
_ = r1.init("sec", nil)
|
|
protected = r1.ProtectSafeAttrs(`<div class="test"></div>`)
|
|
assert.EqualValues(t, `<div data-attr-class="sec:test"></div>`, protected)
|
|
assert.EqualValues(t, "data-attr-class", r1.SafeAttr("class"))
|
|
assert.EqualValues(t, "sec:val", r1.SafeValue("val"))
|
|
recovered, ok := r1.RecoverProtectedValue("sec:val")
|
|
assert.True(t, ok)
|
|
assert.EqualValues(t, "val", recovered)
|
|
recovered, ok = r1.RecoverProtectedValue("other:val")
|
|
assert.False(t, ok)
|
|
assert.Empty(t, recovered)
|
|
|
|
out2 := &bytes.Buffer{}
|
|
in2 := r2.init("sec-other", out2)
|
|
_, _ = io.WriteString(in2, string(protected))
|
|
_ = in2.Close()
|
|
assert.EqualValues(t, `<div data-attr-class="sec:test"></div>`, out2.String(), "different secureID should not recover the value")
|
|
}
|