2021-05-26 17:41:35 +08:00
# frozen_string_literal: true
require " rails_helper "
describe Onebox :: Preview do
before do
stub_request ( :get , " https://www.amazon.com/product " )
. to_return ( status : 200 , body : onebox_response ( " amazon " ) )
end
let ( :preview_url ) { " http://www.amazon.com/product " }
let ( :preview ) { described_class . new ( preview_url ) }
describe " # to_s " do
before do
stub_request ( :get , " https://www.amazon.com/Seven-Languages-Weeks-Programming-Programmers/dp/193435659X " )
. to_return ( status : 200 , body : onebox_response ( " amazon " ) )
end
it " returns some html if given a valid url " do
title = " Seven Languages in Seven Weeks: A Pragmatic Guide to Learning Programming Languages (Pragmatic Programmers) "
expect ( preview . to_s ) . to include ( title )
end
it " returns an empty string if the url is not valid " do
expect ( described_class . new ( 'not a url' ) . to_s ) . to eq ( " " )
end
end
describe " max_width " do
let ( :iframe_html ) { '<iframe src="//player.vimeo.com/video/96017582" width="1280" height="720" frameborder="0" title="GO BIG OR GO HOME" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>' }
it " doesn't change dimensions without an option " do
iframe = described_class . new ( preview_url )
iframe . stubs ( :engine_html ) . returns ( iframe_html )
result = iframe . to_s
expect ( result ) . to include ( " width= \" 1280 \" " )
expect ( result ) . to include ( " height= \" 720 \" " )
end
it " doesn't change dimensions if it is smaller than `max_width` " do
iframe = described_class . new ( preview_url , max_width : 2000 )
iframe . stubs ( :engine_html ) . returns ( iframe_html )
result = iframe . to_s
expect ( result ) . to include ( " width= \" 1280 \" " )
expect ( result ) . to include ( " height= \" 720 \" " )
end
it " changes dimensions if larger than `max_width` " do
iframe = described_class . new ( preview_url , max_width : 900 )
iframe . stubs ( :engine_html ) . returns ( iframe_html )
result = iframe . to_s
expect ( result ) . to include ( " width= \" 900 \" " )
expect ( result ) . to include ( " height= \" 506 \" " )
end
end
describe " # engine " do
2021-07-31 01:36:30 +08:00
let ( :preview_image_url ) { " http://www.example.com/image/without/file_extension " }
let ( :preview_image ) { described_class . new ( preview_image_url , content_type : 'image/png' ) }
2021-05-26 17:41:35 +08:00
it " returns an engine " do
expect ( preview . send ( :engine ) ) . to be_an ( Onebox :: Engine )
end
2021-07-31 01:36:30 +08:00
it " can match based on content_type " do
expect ( preview_image . send ( :engine ) ) . to be_an ( Onebox :: Engine :: ImageOnebox )
end
2021-05-26 17:41:35 +08:00
end
describe " xss " do
let ( :xss ) { " wat' onerror='alert(/XSS/) " }
let ( :img_html ) { " <img src=' #{ xss } '> " }
it " prevents XSS " do
preview = described_class . new ( preview_url )
preview . stubs ( :engine_html ) . returns ( img_html )
result = preview . to_s
expect ( result ) . not_to match ( / onerror / )
end
end
describe " iframe sanitizer " do
let ( :iframe_html ) { " <iframe src='https://thirdparty.example.com'> " }
it " sanitizes iframes from unknown origins " do
preview = described_class . new ( preview_url )
preview . stubs ( :engine_html ) . returns ( iframe_html )
result = preview . to_s
expect ( result ) . not_to include ( ' src="https://thirdparty.example.com"' )
expect ( result ) . to include ( ' data-unsanitized-src="https://thirdparty.example.com"' )
end
it " allows allowed origins " do
preview = described_class . new ( preview_url , allowed_iframe_origins : [ " https://thirdparty.example.com " ] )
preview . stubs ( :engine_html ) . returns ( iframe_html )
result = preview . to_s
expect ( result ) . to include ' src="https://thirdparty.example.com"'
end
it " allows wildcard allowed origins " do
preview = described_class . new ( preview_url , allowed_iframe_origins : [ " https://*.example.com " ] )
preview . stubs ( :engine_html ) . returns ( iframe_html )
result = preview . to_s
expect ( result ) . to include ' src="https://thirdparty.example.com"'
end
end
end