import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text';
import { hrefAllowed } from 'pretty-text/sanitizer';
module("lib:sanitizer");
test("sanitize", function() {
const pt = new PrettyText(buildOptions({ siteSettings: {} }));
const cooked = (input, expected, text) => equal(pt.cook(input), expected.replace(/\/>/g, ">"), text);
equal(pt.sanitize("bug "), "bug ");
equal(pt.sanitize("
"), "
");
equal(pt.sanitize(""), "");
equal(pt.sanitize("<3 <3"), "<3 <3");
equal(pt.sanitize("<_<"), "<_<");
cooked("hello", "hello
", "it sanitizes while cooking");
cooked("disney reddit ",
"disney reddit
",
"we can embed proper links");
cooked("hello ", "hello
", "it does not allow centering");
cooked("\nafter", "after
", "it does not allow tables");
cooked("a\n \n", "a\n\n \n\n ", "it does not double sanitize");
cooked("", "", "it does not allow most iframes");
cooked("",
"",
"it allows iframe to google maps");
cooked("",
"",
"it allows iframe to OpenStreetMap");
equal(pt.sanitize(""), "hullo");
equal(pt.sanitize("press me! "), "press me!");
equal(pt.sanitize("draw me! "), "draw me!");
equal(pt.sanitize("hello"), "hello");
equal(pt.sanitize("highlight "), "highlight");
cooked("[the answer](javascript:alert(42))", "the answer
", "it prevents XSS");
cooked(" \n", "
", "it doesn't circumvent XSS with comments");
cooked("a ", "a
", "it sanitizes spans");
cooked("a ", "a
", "it sanitizes spans");
cooked("a ", "a
", "it sanitizes spans");
cooked("Ctrl +C ", "Ctrl +C
");
cooked("it has been 1 day 0 days since our last test failure", "it has been 1 day 0 days since our last test failure
");
cooked(`it has been 1 day 0 days since our last test failure`, `it has been 1 day 0 days since our last test failure
`);
cooked(`hello
`, `hello
`);
cooked(`1 + 1 is 3 2 `, `1 + 1 is 3 2
`);
cooked(`JS `, `JS
`);
cooked(`Forum Software `, `Forum Software `);
cooked(`high low HUGE `, `high low HUGE
`);
});
test("ids on headings", () => {
const pt = new PrettyText(buildOptions({ siteSettings: {} }));
equal(pt.sanitize("Test Heading "), "Test Heading ");
equal(pt.sanitize(`Test Heading `), `Test Heading `);
equal(pt.sanitize(`Test Heading `), `Test Heading `);
equal(pt.sanitize(`Test Heading `), `Test Heading `);
equal(pt.sanitize(`Test Heading `), `Test Heading `);
equal(pt.sanitize(`Test Heading `), `Test Heading `);
equal(pt.sanitize(`Test Heading `), `Test Heading `);
});
test("urlAllowed", () => {
const allowed = (url, msg) => equal(hrefAllowed(url), url, msg);
allowed("/foo/bar.html", "allows relative urls");
allowed("http://eviltrout.com/evil/trout", "allows full urls");
allowed("https://eviltrout.com/evil/trout", "allows https urls");
allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
equal(hrefAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
"http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf",
"escape single quotes");
});