html_sanitizer_spec.rb 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe HtmlSanitizer, :aggregate_failures do
  4. describe '.replace_inline_images' do
  5. let(:body) { described_class.replace_inline_images(html).first }
  6. let(:inline_attachments) { described_class.replace_inline_images(html).last }
  7. context 'when called for image at absolute path' do
  8. let(:html) { '<img src="/some_one.png" style="width: 181px; height: 125px" alt="abc">' }
  9. it 'keeps src attr as-is' do
  10. expect(body).to match(%r{<img src="/some_one.png" style="width: 181px; height: 125px" alt="abc">})
  11. end
  12. it 'extracts no attachments' do
  13. expect(inline_attachments).to be_empty
  14. end
  15. end
  16. context 'when called for base64-encoded inline images' do
  17. context 'with src attr last' do
  18. let(:html) { '<img style="width: 181px; height: 125px" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/...">' }
  19. it 'converts embedded image to cid' do
  20. expect(body).to match(%r{<img style="width: 181px; height: 125px" src="cid:.+?">})
  21. end
  22. it 'extracts one attachment' do
  23. expect(inline_attachments).to be_one
  24. end
  25. it 'sets filename to image1.jpeg' do
  26. expect(inline_attachments.first[:filename]).to eq('image1.jpeg')
  27. end
  28. it 'sets Content-Type to image/jpeg' do
  29. expect(inline_attachments.first[:preferences]['Content-Type']).to eq('image/jpeg')
  30. end
  31. it 'sets Content-ID based on Zammad fqdn' do
  32. expect(inline_attachments.first[:preferences]['Content-ID']).to match(%r{@#{Setting.get('fqdn')}})
  33. end
  34. it 'sets Content-Disposition to inline' do
  35. expect(inline_attachments.first[:preferences]['Content-Disposition']).to eq('inline')
  36. end
  37. end
  38. context 'with src attr first' do
  39. let(:html) { '<img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/..." style="width: 181px; height: 125px" alt="abc">' }
  40. it 'converts embedded image to cid' do
  41. expect(body).to match(%r{<img src="cid:.+?" style="width: 181px; height: 125px" alt="abc">})
  42. end
  43. it 'extracts one attachment' do
  44. expect(inline_attachments).to be_one
  45. end
  46. it 'sets filename to image1.jpeg' do
  47. expect(inline_attachments.first[:filename]).to eq('image1.jpeg')
  48. end
  49. it 'sets Content-Type to image/jpeg' do
  50. expect(inline_attachments.first[:preferences]['Content-Type']).to eq('image/jpeg')
  51. end
  52. it 'sets Content-ID based on Zammad fqdn' do
  53. expect(inline_attachments.first[:preferences]['Content-ID']).to match(%r{@#{Setting.get('fqdn')}})
  54. end
  55. it 'sets Content-Disposition to inline' do
  56. expect(inline_attachments.first[:preferences]['Content-Disposition']).to eq('inline')
  57. end
  58. end
  59. context 'when followed by an incomplete/invalid HTML tag' do
  60. let(:html) { '<img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/..." style="width: 181px; height: 125px" alt="abc"><invalid what ever' }
  61. it 'converts embedded image to cid' do
  62. expect(body).to match(%r{<img src="cid:.+?" style="width: 181px; height: 125px" alt="abc">})
  63. end
  64. it 'extracts one attachment' do
  65. expect(inline_attachments).to be_one
  66. end
  67. it 'sets filename to image1.jpeg' do
  68. expect(inline_attachments.first[:filename]).to eq('image1.jpeg')
  69. end
  70. it 'sets Content-Type to image/jpeg' do
  71. expect(inline_attachments.first[:preferences]['Content-Type']).to eq('image/jpeg')
  72. end
  73. it 'sets Content-ID based on Zammad fqdn' do
  74. expect(inline_attachments.first[:preferences]['Content-ID']).to match(%r{@#{Setting.get('fqdn')}})
  75. end
  76. it 'sets Content-Disposition to inline' do
  77. expect(inline_attachments.first[:preferences]['Content-Disposition']).to eq('inline')
  78. end
  79. end
  80. context 'when nested in a <div>, mixed with other HTML elements' do
  81. let(:html) { '<div><img style="width: 181px; height: 125px" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/..."><p>123</p><img style="width: 181px; height: 125px" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/..."></div>' }
  82. it 'converts embedded image to cid' do
  83. expect(body).to match(%r{<div>\s+<img style="width: 181px; height: 125px" src="cid:.+?"><p>123</p>\s+<img style="width: 181px; height: 125px" src="cid:.+?">\s+</div>})
  84. end
  85. it 'extracts two attachments' do
  86. expect(inline_attachments.length).to be(2)
  87. end
  88. it 'sets filenames sequentially (as imageN.jpeg)' do
  89. expect(inline_attachments.first[:filename]).to eq('image1.jpeg')
  90. expect(inline_attachments.second[:filename]).to eq('image2.jpeg')
  91. end
  92. it 'sets Content-Types to image/jpeg' do
  93. expect(inline_attachments.first[:preferences]['Content-Type']).to eq('image/jpeg')
  94. expect(inline_attachments.second[:preferences]['Content-Type']).to eq('image/jpeg')
  95. end
  96. it 'sets Content-IDs based on Zammad fqdn' do
  97. expect(inline_attachments.first[:preferences]['Content-ID']).to match(%r{@#{Setting.get('fqdn')}})
  98. expect(inline_attachments.second[:preferences]['Content-ID']).to match(%r{@#{Setting.get('fqdn')}})
  99. end
  100. it 'sets Content-Dispositions to inline' do
  101. expect(inline_attachments.first[:preferences]['Content-Disposition']).to eq('inline')
  102. expect(inline_attachments.second[:preferences]['Content-Disposition']).to eq('inline')
  103. end
  104. end
  105. end
  106. context 'when processing pre elements' do
  107. let(:html) do
  108. '<pre><code>apt-get update
  109. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
  110. Hit:2 http://de.archive.ubuntu.com/ubuntu focal InRelease
  111. Building dependency tree...</code></pre>'
  112. end
  113. it 'does not convert links' do
  114. expect(body).to eq(html)
  115. end
  116. end
  117. end
  118. describe '.dynamic_image_size' do
  119. context 'when called for image at absolute path' do
  120. context 'with src attr last' do
  121. it 'add max-width: 100% rule to style attr' do
  122. expect(described_class.dynamic_image_size(<<~HTML.chomp)).to match(Regexp.new(<<~REGEX.chomp))
  123. <img style="width: 181px; height: 125px" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/...">
  124. HTML
  125. <img style="max-width:100%;width: 181px;max-height: 125px;" src="data:image.+?">
  126. REGEX
  127. end
  128. end
  129. context 'with src attr first' do
  130. it 'add max-width: 100% rule to style attr' do
  131. expect(described_class.dynamic_image_size(<<~HTML.chomp)).to match(Regexp.new(<<~REGEX.chomp))
  132. <img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/..." style="width: 181px; height: 125px" alt="abc">
  133. HTML
  134. <img src="data:image.+?" style="max-width:100%;width: 181px;max-height: 125px;" alt="abc">
  135. REGEX
  136. end
  137. end
  138. end
  139. context 'when called for base64-encoded inline images' do
  140. context 'with src attr last' do
  141. it 'add max-width: 100% rule to style attr' do
  142. expect(described_class.dynamic_image_size(<<~HTML.chomp)).to match(Regexp.new(<<~REGEX.chomp))
  143. <img src="/some_one.png" style="width: 181px; height: 125px" alt="abc">
  144. HTML
  145. <img src="/some_one.png" style="max-width:100%;width: 181px;max-height: 125px;" alt="abc">
  146. REGEX
  147. end
  148. end
  149. context 'with src attr first' do
  150. it 'add max-width: 100% rule to style attr' do
  151. expect(described_class.dynamic_image_size(<<~HTML.chomp)).to match(Regexp.new(<<~REGEX.chomp))
  152. <img src="/some_one.png" alt="abc">
  153. HTML
  154. <img src="/some_one.png" alt="abc" style="max-width:100%;">
  155. REGEX
  156. end
  157. end
  158. end
  159. end
  160. # Issue #2416 - html_sanitizer goes into loop for specific content
  161. describe '.strict' do
  162. context 'with strings that take a long time (>10s) to parse' do
  163. before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
  164. it 'returns a timeout error message for the user' do
  165. expect(described_class.strict(+'<img src="/some_one.png">', true))
  166. .to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
  167. end
  168. end
  169. context 'with href links that contain square brackets' do
  170. it 'correctly URL encodes them' do
  171. expect(described_class.strict(+'<a href="https://example.com/?foo=bar&baz[x]=y">example</a>', true))
  172. .to eq('<a href="https://example.com/?foo=bar&amp;baz[x]=y" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com/?foo=bar&amp;baz[x]=y">example</a>')
  173. end
  174. end
  175. context 'with href links that contain http urls' do
  176. it 'correctly URL encodes them' do
  177. expect(described_class.strict(+'<a href="https://example.com/?foo=https%3A%2F%2Fexample.com%3Flala%3A123">example</a>', true))
  178. .to eq('<a href="https://example.com/?foo=https%3A%2F%2Fexample.com%3Flala%3A123" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com/?foo=https%3A%2F%2Fexample.com%3Flala%3A123">example</a>')
  179. end
  180. end
  181. context 'when HTML sanitizer is removing attributes/styles which are white listed. #4605' do
  182. it 'does not remove whitelisted attributes width' do
  183. expect(described_class.strict('<table width=20><tr width=20><td width=20>123</td></tr></table>')).to eq('<table style="width:20px;"><tr style="width:20px;"><td style="width:20px;">123</td></tr></table>')
  184. end
  185. end
  186. context 'when handling <title> tags' do
  187. let(:source) { '<title>some title</title><p>actual content</p>' }
  188. let(:target) { '<p>actual content</p>' }
  189. it 'removes them' do
  190. expect(described_class.strict(source)).to eq(target)
  191. end
  192. end
  193. end
  194. describe '.cleanup' do
  195. context 'with strings that take a long time (>10s) to parse' do
  196. before { allow(Timeout).to receive(:timeout).and_raise(Timeout::Error) }
  197. it 'returns a timeout error message for the user' do
  198. expect(described_class.cleanup(+'<img src="/some_one.png">'))
  199. .to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
  200. end
  201. end
  202. end
  203. end