3
import com.google.common.base.Throwables;
4
import org.junit.Assert;
6
import org.owasp.html.Handler;
7
import org.owasp.html.HtmlSanitizer;
8
import org.owasp.html.HtmlStreamRenderer;
10
import java.io.IOException;
13
* @author Kohsuke Kawaguchi
15
public class MyspacePolicyTest extends Assert {
17
public void testPolicy() {
18
assertIntact("<a href='http://www.cloudbees.com'>CB</a>");
19
assertIntact("<a href='relative/link'>relative</a>");
20
assertIntact("<a href='mailto:kk@kohsuke.org'>myself</a>");
21
assertReject("javascript","<a href='javascript:alert(5)'>test</a>");
23
assertIntact("<img src='http://www.cloudbees.com'>");
24
assertIntact("<img src='relative/test.png'>");
25
assertIntact("<img src='relative/test.png'>");
26
assertReject("javascript","<img src='javascript:alert(5)'>");
28
assertIntact("<b><i><u><strike>basic tag</strike></u></i></b>");
29
assertIntact("<div><p>basic block tags</p></div>");
31
assertIntact("<ul><li>1</li><li>2</li><li>3</li></ul>");
32
assertIntact("<ol><li>x</li></ol>");
33
assertIntact("<dl><dt>abc</dt><dd>foo</dd></dl>");
34
assertIntact("<table><tr><th>header</th></tr><tr><td>something</td></tr></table>");
35
assertIntact("<h1>title</h1><blockquote>blurb</blockquote>");
37
assertIntact("<iframe src='nested'></iframe>");
38
assertIntact("<iframe src='http://kohsuke.org'></iframe>");
39
assertReject("javascript","<iframe src='javascript:foo'></iframe>");
41
assertReject("script","<script>window.alert(5);</script>");
42
assertReject("script","<script src='http://foo/evil.js'></script>");
43
assertReject("script","<script src='relative.js'></script>");
45
assertIntact("<style>H1 { display:none; }</style>");
46
assertIntact("<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
47
assertIntact("<div style='background-color:white'>inline CSS</div>");
48
assertIntact("<br><hr>");
50
assertIntact("<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
53
private void assertIntact(String input) {
54
input = input.replace('\'','\"');
55
assertSanitize(input,input);
58
private void assertReject(String problematic, String input) {
59
String out = sanitize(input);
60
assertFalse(out, out.contains(problematic));
63
private void assertSanitize(String expected, String input) {
64
assertEquals(expected,sanitize(input));
67
private String sanitize(String input) {
68
StringBuilder buf = new StringBuilder();
69
HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
71
// Receives notifications on a failure to write to the output.
72
new Handler<IOException>() {
73
public void handle(IOException ex) {
74
Throwables.propagate(ex); // System.out suppresses IOExceptions
77
// Our HTML parser is very lenient, but this receives notifications on
78
// truly bizarre inputs.
79
new Handler<String>() {
80
public void handle(String x) {
81
throw new AssertionError(x);
85
HtmlSanitizer.sanitize(input, MyspacePolicy.POLICY_DEFINITION.apply(renderer));
86
return buf.toString();