DEV: Add SVG tests for 31e31ef44 (#10205)

This commit is contained in:
Kane York 2020-07-09 14:02:25 -07:00 committed by GitHub
parent bfde665e76
commit 79b52b1e9a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -381,11 +381,23 @@ RSpec.describe UploadCreator do
end
describe '#whitelist_svg!' do
let(:b64) do
Base64.encode64('<svg onmouseover="alert(alert)" />')
end
let(:file) do
file = Tempfile.new
file.write(<<~XML)
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200px" height="200px" onload="alert(location)">
<defs>
<path id="pathdef" d="m0 0h100v100h-77z" stroke="#000" />
</defs>
<g>
<use id="valid-use" x="123" xlink:href="#pathdef" />
</g>
<use id="invalid-use1" href="https://svg.example.com/evil.svg" />
<use id="invalid-use2" xlink:href="data:image/svg+xml;base64,#{b64}" />
</svg>
XML
file.rewind
@ -395,7 +407,11 @@ RSpec.describe UploadCreator do
it 'removes event handlers' do
begin
UploadCreator.new(file, 'file.svg').whitelist_svg!
expect(file.read).not_to include('onload')
file_content = file.read
expect(file_content).not_to include('onload')
expect(file_content).to include('#pathdef')
expect(file_content).not_to include('evil.svg')
expect(file_content).not_to include(b64)
ensure
file.unlink
end