mirror of
https://github.com/discourse/discourse.git
synced 2025-01-23 21:08:47 +08:00
461 lines
23 KiB
JavaScript
461 lines
23 KiB
JavaScript
module("Discourse.Markdown", {
|
|
setup: function() {
|
|
Discourse.SiteSettings.traditional_markdown_linebreaks = false;
|
|
}
|
|
});
|
|
|
|
var cooked = function(input, expected, text) {
|
|
var result = Discourse.Markdown.cook(input, {sanitize: true});
|
|
expected = expected.replace(/\/>/g, ">");
|
|
// result = result.replace("/>", ">");
|
|
equal(result, expected, text);
|
|
};
|
|
|
|
var cookedOptions = function(input, opts, expected, text) {
|
|
equal(Discourse.Markdown.cook(input, opts), expected, text);
|
|
};
|
|
|
|
test("basic cooking", function() {
|
|
cooked("hello", "<p>hello</p>", "surrounds text with paragraphs");
|
|
cooked("**evil**", "<p><strong>evil</strong></p>", "it bolds text.");
|
|
cooked("__bold__", "<p><strong>bold</strong></p>", "it bolds text.");
|
|
cooked("*trout*", "<p><em>trout</em></p>", "it italicizes text.");
|
|
cooked("_trout_", "<p><em>trout</em></p>", "it italicizes text.");
|
|
cooked("*this is italic **with some bold** inside*", "<p><em>this is italic <strong>with some bold</strong> inside</em></p>", "it handles nested bold in italics");
|
|
cooked("***hello***", "<p><strong><em>hello</em></strong></p>", "it can do bold and italics at once.");
|
|
cooked("word_with_underscores", "<p>word_with_underscores</p>", "it doesn't do intraword italics");
|
|
cooked("common/_special_font_face.html.erb", "<p>common/_special_font_face.html.erb</p>", "it doesn't intraword with a slash");
|
|
cooked("hello \\*evil\\*", "<p>hello *evil*</p>", "it supports escaping of asterisks");
|
|
cooked("hello \\_evil\\_", "<p>hello _evil_</p>", "it supports escaping of italics");
|
|
cooked("brussel sproutes are *awful*.", "<p>brussel sproutes are <em>awful</em>.</p>", "it doesn't swallow periods.");
|
|
});
|
|
|
|
test("Traditional Line Breaks", function() {
|
|
var input = "1\n2\n3";
|
|
cooked(input, "<p>1<br/>2<br/>3</p>", "automatically handles trivial newlines");
|
|
|
|
var traditionalOutput = "<p>1\n2\n3</p>";
|
|
|
|
cookedOptions(input,
|
|
{traditional_markdown_linebreaks: true},
|
|
traditionalOutput,
|
|
"It supports traditional markdown via an option");
|
|
|
|
Discourse.SiteSettings.traditional_markdown_linebreaks = true;
|
|
cooked(input, traditionalOutput, "It supports traditional markdown via a Site Setting");
|
|
});
|
|
|
|
test("Unbalanced underscores", function() {
|
|
cooked("[evil_trout][1] hello_\n\n[1]: http://eviltrout.com", "<p><a href=\"http://eviltrout.com\">evil_trout</a> hello_</p>");
|
|
});
|
|
|
|
test("Line Breaks", function() {
|
|
cooked("[] first choice\n[] second choice",
|
|
"<p>[] first choice<br/>[] second choice</p>",
|
|
"it handles new lines correctly with [] options");
|
|
|
|
cooked("<blockquote>evil</blockquote>\ntrout",
|
|
"<blockquote>evil</blockquote>\n\n<p>trout</p>",
|
|
"it doesn't insert <br> after blockquotes");
|
|
|
|
cooked("leading<blockquote>evil</blockquote>\ntrout",
|
|
"leading<blockquote>evil</blockquote>\n\n<p>trout</p>",
|
|
"it doesn't insert <br> after blockquotes with leading text");
|
|
});
|
|
|
|
test("Paragraphs for HTML", function() {
|
|
cooked("<div>hello world</div>", "<div>hello world</div>", "it doesn't surround <div> with paragraphs");
|
|
cooked("<p>hello world</p>", "<p>hello world</p>", "it doesn't surround <p> with paragraphs");
|
|
cooked("<i>hello world</i>", "<p><i>hello world</i></p>", "it surrounds inline <i> html tags with paragraphs");
|
|
cooked("<b>hello world</b>", "<p><b>hello world</b></p>", "it surrounds inline <b> html tags with paragraphs");
|
|
|
|
});
|
|
|
|
test("Links", function() {
|
|
|
|
cooked("EvilTrout: http://eviltrout.com",
|
|
'<p>EvilTrout: <a href="http://eviltrout.com">http://eviltrout.com</a></p>',
|
|
"autolinks a URL");
|
|
|
|
cooked("Youtube: http://www.youtube.com/watch?v=1MrpeBRkM5A",
|
|
'<p>Youtube: <a href="http://www.youtube.com/watch?v=1MrpeBRkM5A">http://www.youtube.com/watch?v=1MrpeBRkM5A</a></p>',
|
|
"allows links to contain query params");
|
|
|
|
cooked("Derpy: http://derp.com?__test=1",
|
|
'<p>Derpy: <a href="http://derp.com?__test=1">http://derp.com?__test=1</a></p>',
|
|
"works with double underscores in urls");
|
|
|
|
cooked("Derpy: http://derp.com?_test_=1",
|
|
'<p>Derpy: <a href="http://derp.com?_test_=1">http://derp.com?_test_=1</a></p>',
|
|
"works with underscores in urls");
|
|
|
|
cooked("Atwood: www.codinghorror.com",
|
|
'<p>Atwood: <a href="http://www.codinghorror.com">www.codinghorror.com</a></p>',
|
|
"autolinks something that begins with www");
|
|
|
|
cooked("Atwood: http://www.codinghorror.com",
|
|
'<p>Atwood: <a href="http://www.codinghorror.com">http://www.codinghorror.com</a></p>',
|
|
"autolinks a URL with http://www");
|
|
|
|
cooked("EvilTrout: http://eviltrout.com hello",
|
|
'<p>EvilTrout: <a href="http://eviltrout.com">http://eviltrout.com</a> hello</p>',
|
|
"autolinks with trailing text");
|
|
|
|
cooked("here is [an example](http://twitter.com)",
|
|
'<p>here is <a href="http://twitter.com">an example</a></p>',
|
|
"supports markdown style links");
|
|
|
|
cooked("Batman: http://en.wikipedia.org/wiki/The_Dark_Knight_(film)",
|
|
'<p>Batman: <a href="http://en.wikipedia.org/wiki/The_Dark_Knight_(film)">http://en.wikipedia.org/wiki/The_Dark_Knight_(film)</a></p>',
|
|
"autolinks a URL with parentheses (like Wikipedia)");
|
|
|
|
cooked("Here's a tweet:\nhttps://twitter.com/evil_trout/status/345954894420787200",
|
|
"<p>Here's a tweet:<br/><a href=\"https://twitter.com/evil_trout/status/345954894420787200\" class=\"onebox\" target=\"_blank\">https://twitter.com/evil_trout/status/345954894420787200</a></p>",
|
|
"It doesn't strip the new line.");
|
|
|
|
cooked("1. View @eviltrout's profile here: http://meta.discourse.org/users/eviltrout/activity<br/>next line.",
|
|
"<ol><li>View <span class=\"mention\">@eviltrout</span>'s profile here: <a href=\"http://meta.discourse.org/users/eviltrout/activity\">http://meta.discourse.org/users/eviltrout/activity</a><br>next line.</li></ol>",
|
|
"allows autolinking within a list without inserting a paragraph.");
|
|
|
|
cooked("[3]: http://eviltrout.com", "", "It doesn't autolink markdown link references");
|
|
|
|
cooked("http://discourse.org and http://discourse.org/another_url and http://www.imdb.com/name/nm2225369",
|
|
"<p><a href=\"http://discourse.org\">http://discourse.org</a> and " +
|
|
"<a href=\"http://discourse.org/another_url\">http://discourse.org/another_url</a> and " +
|
|
"<a href=\"http://www.imdb.com/name/nm2225369\">http://www.imdb.com/name/nm2225369</a></p>",
|
|
'allows multiple links on one line');
|
|
|
|
cooked("* [Evil Trout][1]\n [1]: http://eviltrout.com",
|
|
"<ul><li><a href=\"http://eviltrout.com\">Evil Trout</a></li></ul>",
|
|
"allows markdown link references in a list");
|
|
|
|
cooked("User [MOD]: Hello!",
|
|
"<p>User [MOD]: Hello!</p>",
|
|
"It does not consider references that are obviously not URLs");
|
|
|
|
cooked("<small>http://eviltrout.com</small>", "<p><small><a href=\"http://eviltrout.com\">http://eviltrout.com</a></small></p>", "Links within HTML tags");
|
|
|
|
cooked("[http://google.com ... wat](http://discourse.org)",
|
|
"<p><a href=\"http://discourse.org\">http://google.com ... wat</a></p>",
|
|
"it supports linkins within links");
|
|
|
|
cooked("[Link](http://www.example.com) (with an outer \"description\")",
|
|
"<p><a href=\"http://www.example.com\">Link</a> (with an outer \"description\")</p>",
|
|
"it doesn't consume closing parens as part of the url")
|
|
});
|
|
|
|
test("simple quotes", function() {
|
|
cooked("> nice!", "<blockquote><p>nice!</p></blockquote>", "it supports simple quotes");
|
|
cooked(" > nice!", "<blockquote><p>nice!</p></blockquote>", "it allows quotes with preceeding spaces");
|
|
cooked("> level 1\n> > level 2",
|
|
"<blockquote><p>level 1</p><blockquote><p>level 2</p></blockquote></blockquote>",
|
|
"it allows nesting of blockquotes");
|
|
cooked("> level 1\n> > level 2",
|
|
"<blockquote><p>level 1</p><blockquote><p>level 2</p></blockquote></blockquote>",
|
|
"it allows nesting of blockquotes with spaces");
|
|
|
|
cooked("- hello\n\n > world\n > eviltrout",
|
|
"<ul><li>hello</li></ul>\n\n<blockquote><p>world<br/>eviltrout</p></blockquote>",
|
|
"it allows quotes within a list.");
|
|
|
|
cooked("- <p>eviltrout</p>",
|
|
"<ul><li><p>eviltrout</p></li></ul>",
|
|
"it allows paragraphs within a list.");
|
|
|
|
|
|
cooked(" > indent 1\n > indent 2", "<blockquote><p>indent 1<br/>indent 2</p></blockquote>", "allow multiple spaces to indent");
|
|
|
|
});
|
|
|
|
test("Quotes", function() {
|
|
|
|
cookedOptions("[quote=\"eviltrout, post: 1\"]\na quote\n\nsecond line\n\nthird line[/quote]",
|
|
{ topicId: 2 },
|
|
"<aside class=\"quote\" data-post=\"1\"><div class=\"title\"><div class=\"quote-controls\"></div>eviltrout said:</div><blockquote>" +
|
|
"<p>a quote</p><p>second line</p><p>third line</p></blockquote></aside>",
|
|
"works with multiple lines");
|
|
|
|
cookedOptions("1[quote=\"bob, post:1\"]my quote[/quote]2",
|
|
{ topicId: 2, lookupAvatar: function(name) { return "" + name; }, sanitize: true },
|
|
"<p>1</p>\n\n<aside class=\"quote\" data-post=\"1\"><div class=\"title\"><div class=\"quote-controls\"></div>bob" +
|
|
"bob said:</div><blockquote><p>my quote</p></blockquote></aside>\n\n<p>2</p>",
|
|
"handles quotes properly");
|
|
|
|
cookedOptions("1[quote=\"bob, post:1\"]my quote[/quote]2",
|
|
{ topicId: 2, lookupAvatar: function() { } },
|
|
"<p>1</p>\n\n<aside class=\"quote\" data-post=\"1\"><div class=\"title\"><div class=\"quote-controls\"></div>bob said:" +
|
|
"</div><blockquote><p>my quote</p></blockquote></aside>\n\n<p>2</p>",
|
|
"includes no avatar if none is found");
|
|
});
|
|
|
|
test("Mentions", function() {
|
|
|
|
var alwaysTrue = { mentionLookup: (function() { return true; }) };
|
|
|
|
cookedOptions("Hello @sam", alwaysTrue,
|
|
"<p>Hello <a class=\"mention\" href=\"/users/sam\">@sam</a></p>",
|
|
"translates mentions to links");
|
|
|
|
cooked("[@codinghorror](https://twitter.com/codinghorror)",
|
|
"<p><a href=\"https://twitter.com/codinghorror\">@codinghorror</a></p>",
|
|
"it doesn't do mentions within links");
|
|
|
|
cookedOptions("[@codinghorror](https://twitter.com/codinghorror)", alwaysTrue,
|
|
"<p><a href=\"https://twitter.com/codinghorror\">@codinghorror</a></p>",
|
|
"it doesn't do link mentions within links");
|
|
|
|
cooked("Hello @EvilTrout", "<p>Hello <span class=\"mention\">@EvilTrout</span></p>", "adds a mention class");
|
|
cooked("robin@email.host", "<p>robin@email.host</p>", "won't add mention class to an email address");
|
|
cooked("hanzo55@yahoo.com", "<p>hanzo55@yahoo.com</p>", "won't be affected by email addresses that have a number before the @ symbol");
|
|
cooked("@EvilTrout yo", "<p><span class=\"mention\">@EvilTrout</span> yo</p>", "it handles mentions at the beginning of a string");
|
|
cooked("yo\n@EvilTrout", "<p>yo<br/><span class=\"mention\">@EvilTrout</span></p>", "it handles mentions at the beginning of a new line");
|
|
cooked("`evil` @EvilTrout `trout`",
|
|
"<p><code>evil</code> <span class=\"mention\">@EvilTrout</span> <code>trout</code></p>",
|
|
"deals correctly with multiple <code> blocks");
|
|
cooked("```\na @test\n```", "<p><pre><code class=\"lang-auto\">a @test</code></pre></p>", "should not do mentions within a code block.");
|
|
|
|
cooked("> foo bar baz @eviltrout",
|
|
"<blockquote><p>foo bar baz <span class=\"mention\">@eviltrout</span></p></blockquote>",
|
|
"handles mentions in simple quotes");
|
|
|
|
cooked("> foo bar baz @eviltrout ohmagerd\nlook at this",
|
|
"<blockquote><p>foo bar baz <span class=\"mention\">@eviltrout</span> ohmagerd<br/>look at this</p></blockquote>",
|
|
"does mentions properly with trailing text within a simple quote");
|
|
|
|
cooked("`code` is okay before @mention",
|
|
"<p><code>code</code> is okay before <span class=\"mention\">@mention</span></p>",
|
|
"Does not mention in an inline code block");
|
|
|
|
cooked("@mention is okay before `code`",
|
|
"<p><span class=\"mention\">@mention</span> is okay before <code>code</code></p>",
|
|
"Does not mention in an inline code block");
|
|
|
|
cooked("don't `@mention`",
|
|
"<p>don't <code>@mention</code></p>",
|
|
"Does not mention in an inline code block");
|
|
|
|
cooked("Yes `@this` should be code @eviltrout",
|
|
"<p>Yes <code>@this</code> should be code <span class=\"mention\">@eviltrout</span></p>",
|
|
"Does not mention in an inline code block");
|
|
|
|
cooked("@eviltrout and `@eviltrout`",
|
|
"<p><span class=\"mention\">@eviltrout</span> and <code>@eviltrout</code></p>",
|
|
"you can have a mention in an inline code block following a real mention.");
|
|
|
|
cooked("1. this is a list\n\n2. this is an @eviltrout mention\n",
|
|
"<ol><li><p>this is a list</p></li><li><p>this is an <span class=\"mention\">@eviltrout</span> mention</p></li></ol>",
|
|
"it mentions properly in a list.");
|
|
|
|
cookedOptions("@eviltrout", alwaysTrue,
|
|
"<p><a class=\"mention\" href=\"/users/eviltrout\">@eviltrout</a></p>",
|
|
"it doesn't onebox mentions");
|
|
|
|
cookedOptions("<small>a @sam c</small>", alwaysTrue,
|
|
"<p><small>a <a class=\"mention\" href=\"/users/sam\">@sam</a> c</small></p>",
|
|
"it allows mentions within HTML tags");
|
|
});
|
|
|
|
|
|
test("Heading", function() {
|
|
cooked("**Bold**\n----------", "<h2><strong>Bold</strong></h2>", "It will bold the heading");
|
|
});
|
|
|
|
test("bold and italics", function() {
|
|
cooked("a \"**hello**\"", "<p>a \"<strong>hello</strong>\"</p>", "bolds in quotes");
|
|
cooked("(**hello**)", "<p>(<strong>hello</strong>)</p>", "bolds in parens");
|
|
cooked("**hello**\nworld", "<p><strong>hello</strong><br>world</p>", "allows newline after bold");
|
|
cooked("**hello**\n**world**", "<p><strong>hello</strong><br><strong>world</strong></p>", "newline between two bolds");
|
|
cooked("**a*_b**", "<p><strong>a*_b</strong></p>", "allows for characters within bold");
|
|
cooked("** hello**", "<p>** hello**</p>", "does not bold on a space boundary");
|
|
cooked("**hello **", "<p>**hello **</p>", "does not bold on a space boundary");
|
|
cooked("你**hello**", "<p>你**hello**</p>", "does not bold chinese intra word");
|
|
cooked("**你hello**", "<p><strong>你hello</strong></p>", "allows bolded chinese");
|
|
});
|
|
|
|
test("New Lines", function() {
|
|
// Note: This behavior was discussed and we determined it does not make sense to do this
|
|
// unless you're using traditional line breaks
|
|
cooked("_abc\ndef_", "<p>_abc<br>def_</p>", "it does not allow markup to span new lines");
|
|
cooked("_abc\n\ndef_", "<p>_abc</p>\n\n<p>def_</p>", "it does not allow markup to span new paragraphs");
|
|
});
|
|
|
|
test("Oneboxing", function() {
|
|
|
|
var matches = function(input, regexp) {
|
|
return Discourse.Markdown.cook(input).match(regexp);
|
|
};
|
|
|
|
ok(!matches("- http://www.textfiles.com/bbs/MINDVOX/FORUMS/ethics\n\n- http://drupal.org", /onebox/),
|
|
"doesn't onebox a link within a list");
|
|
|
|
ok(matches("http://test.com", /onebox/), "adds a onebox class to a link on its own line");
|
|
ok(matches("http://test.com\nhttp://test2.com", /onebox[\s\S]+onebox/m), "supports multiple links");
|
|
ok(!matches("http://test.com bob", /onebox/), "doesn't onebox links that have trailing text");
|
|
|
|
ok(!matches("[Tom Cruise](http://www.tomcruise.com/)", "onebox"), "Markdown links with labels are not oneboxed");
|
|
ok(matches("[http://www.tomcruise.com/](http://www.tomcruise.com/)",
|
|
"onebox"),
|
|
"Markdown links where the label is the same as the url are oneboxed");
|
|
|
|
cooked("http://en.wikipedia.org/wiki/Homicide:_Life_on_the_Street",
|
|
"<p><a href=\"http://en.wikipedia.org/wiki/Homicide:_Life_on_the_Street\" class=\"onebox\"" +
|
|
" target=\"_blank\">http://en.wikipedia.org/wiki/Homicide:_Life_on_the_Street</a></p>",
|
|
"works with links that have underscores in them");
|
|
|
|
});
|
|
|
|
test("links with full urls", function() {
|
|
cooked("[http://eviltrout.com][1] is a url\n\n[1]: http://eviltrout.com",
|
|
"<p><a href=\"http://eviltrout.com\">http://eviltrout.com</a> is a url</p>",
|
|
"it supports links that are full URLs");
|
|
});
|
|
|
|
test("Code Blocks", function() {
|
|
|
|
cooked("<pre>\nhello\n</pre>\n",
|
|
"<p><pre>hello</pre></p>",
|
|
"pre blocks don't include extra lines");
|
|
|
|
cooked("```\na\nb\nc\n\nd\n```",
|
|
"<p><pre><code class=\"lang-auto\">a\nb\nc\n\nd</code></pre></p>",
|
|
"it treats new lines properly");
|
|
|
|
cooked("```\ntest\n```",
|
|
"<p><pre><code class=\"lang-auto\">test</code></pre></p>",
|
|
"it supports basic code blocks");
|
|
|
|
cooked("```json\n{hello: 'world'}\n```\ntrailing",
|
|
"<p><pre><code class=\"json\">{hello: 'world'}</code></pre></p>\n\n<p>trailing</p>",
|
|
"It does not truncate text after a code block.");
|
|
|
|
cooked("```json\nline 1\n\nline 2\n\n\nline3\n```",
|
|
"<p><pre><code class=\"json\">line 1\n\nline 2\n\n\nline3</code></pre></p>",
|
|
"it maintains new lines inside a code block.");
|
|
|
|
cooked("hello\nworld\n```json\nline 1\n\nline 2\n\n\nline3\n```",
|
|
"<p>hello<br/>world<br/></p>\n\n<p><pre><code class=\"json\">line 1\n\nline 2\n\n\nline3</code></pre></p>",
|
|
"it maintains new lines inside a code block with leading content.");
|
|
|
|
cooked("```text\n<header>hello</header>\n```",
|
|
"<p><pre><code class=\"text\"><header>hello</header></code></pre></p>",
|
|
"it escapes code in the code block");
|
|
|
|
cooked("```ruby\n# cool\n```",
|
|
"<p><pre><code class=\"ruby\"># cool</code></pre></p>",
|
|
"it supports changing the language");
|
|
|
|
cooked(" ```\n hello\n ```",
|
|
"<pre><code>```\nhello\n```</code></pre>",
|
|
"only detect ``` at the begining of lines");
|
|
|
|
cooked("```ruby\ndef self.parse(text)\n\n text\nend\n```",
|
|
"<p><pre><code class=\"ruby\">def self.parse(text)\n\n text\nend</code></pre></p>",
|
|
"it allows leading spaces on lines in a code block.");
|
|
|
|
cooked("```ruby\nhello `eviltrout`\n```",
|
|
"<p><pre><code class=\"ruby\">hello `eviltrout`</code></pre></p>",
|
|
"it allows code with backticks in it");
|
|
|
|
cooked("```eviltrout\nhello\n```",
|
|
"<p><pre><code class=\"lang-auto\">hello</code></pre></p>",
|
|
"it doesn't not whitelist all classes");
|
|
|
|
cooked("```\n[quote=\"sam, post:1, topic:9441, full:true\"]This is `<not>` a bug.[/quote]\n```",
|
|
"<p><pre><code class=\"lang-auto\">[quote="sam, post:1, topic:9441, full:true"]This is `<not>` a bug.[/quote]</code></pre></p>",
|
|
"it allows code with backticks in it");
|
|
|
|
cooked(" hello\n<blockquote>test</blockquote>",
|
|
"<pre><code>hello</code></pre>\n\n<blockquote>test</blockquote>",
|
|
"it allows an indented code block to by followed by a `<blockquote>`");
|
|
|
|
cooked("``` foo bar ```",
|
|
"<p><code>foo bar</code></p>",
|
|
"it tolerates misuse of code block tags as inline code");
|
|
|
|
cooked("```\nline1\n```\n```\nline2\n\nline3\n```",
|
|
"<p><pre><code class=\"lang-auto\">line1</code></pre></p>\n\n<p><pre><code class=\"lang-auto\">line2\n\nline3</code></pre></p>",
|
|
"it does not consume next block's trailing newlines");
|
|
});
|
|
|
|
test("sanitize", function() {
|
|
var sanitize = Discourse.Markdown.sanitize;
|
|
|
|
equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
|
|
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
|
|
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
|
|
equal(sanitize("<3 <3"), "<3 <3");
|
|
equal(sanitize("<_<"), "<_<");
|
|
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
|
|
|
|
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
|
|
"<p><a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a></p>",
|
|
"we can embed proper links");
|
|
|
|
cooked("<center>hello</center>", "<p>hello</p>", "it does not allow centering");
|
|
cooked("<table><tr><td>hello</td></tr></table>\nafter", "<p>after</p>", "it does not allow tables");
|
|
cooked("<blockquote>a\n</blockquote>\n", "<blockquote>a\n\n<br/>\n\n</blockquote>", "it does not double sanitize");
|
|
|
|
cooked("<iframe src=\"http://discourse.org\" width=\"100\" height=\"42\"></iframe>", "", "it does not allow most iframe");
|
|
|
|
cooked("<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",
|
|
"<iframe src=\"https://www.google.com/maps/embed?pb=!1m10!1m8!1m3!1d2624.9983685732213!2d2.29432085!3d48.85824149999999!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2s!4v1385737436368\" width=\"100\" height=\"42\"></iframe>",
|
|
"it allows iframe to google maps");
|
|
equal(sanitize("<textarea>hullo</textarea>"), "hullo");
|
|
equal(sanitize("<button>press me!</button>"), "press me!");
|
|
equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
|
|
equal(sanitize("<progress>hello"), "hello");
|
|
equal(sanitize("<mark>highlight</mark>"), "highlight");
|
|
|
|
cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
|
|
|
|
cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i><br/></p>", "it doesn't circumvent XSS with comments");
|
|
|
|
cooked("<span class=\"-bbcode-size-0 fa fa-spin\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");
|
|
cooked("<span class=\"fa fa-spin -bbcode-size-0\">a</span>", "<p><span>a</span></p>", "it sanitizes spans");
|
|
cooked("<span class=\"bbcode-size-10\">a</span>", "<p><span class=\"bbcode-size-10\">a</span></p>", "it sanitizes spans");
|
|
});
|
|
|
|
test("URLs in BBCode tags", function() {
|
|
|
|
cooked("[img]http://eviltrout.com/eviltrout.png[/img][img]http://samsaffron.com/samsaffron.png[/img]",
|
|
"<p><img src=\"http://eviltrout.com/eviltrout.png\"/><img src=\"http://samsaffron.com/samsaffron.png\"/></p>",
|
|
"images are properly parsed");
|
|
|
|
cooked("[url]http://discourse.org[/url]",
|
|
"<p><a href=\"http://discourse.org\">http://discourse.org</a></p>",
|
|
"links are properly parsed");
|
|
|
|
cooked("[url=http://discourse.org]discourse[/url]",
|
|
"<p><a href=\"http://discourse.org\">discourse</a></p>",
|
|
"named links are properly parsed");
|
|
|
|
});
|
|
|
|
test("urlAllowed", function() {
|
|
var urlAllowed = Discourse.Markdown.urlAllowed;
|
|
|
|
var allowed = function(url, msg) {
|
|
equal(urlAllowed(url), url, msg);
|
|
};
|
|
|
|
allowed("/foo/bar.html", "allows relative urls");
|
|
allowed("http://eviltrout.com/evil/trout", "allows full urls");
|
|
allowed("https://eviltrout.com/evil/trout", "allows https urls");
|
|
allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
|
|
|
|
equal(urlAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
|
|
"http://google.com/test'onmouseover=alert('XSS!');//.swf",
|
|
"escape single quotes");
|
|
});
|
|
|
|
test("images", function() {
|
|
|
|
cooked("[![folksy logo](http://folksy.com/images/folksy-colour.png)](http://folksy.com/)",
|
|
"<p><a href=\"http://folksy.com/\"><img src=\"http://folksy.com/images/folksy-colour.png\" alt=\"folksy logo\"/></a></p>",
|
|
"It allows images with links around them");
|
|
|
|
cooked("<img src=\"\" alt=\"Red dot\">",
|
|
"<p><img src=\"\" alt=\"Red dot\"></p>",
|
|
"It allows data images");
|
|
});
|