wipe_spec.rb 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe HtmlSanitizer::Scrubber::Wipe do
  4. let(:scrubber) { described_class.new }
  5. describe('#scrubber') do
  6. subject(:actual) do
  7. # export with extra options to avoid html indentation
  8. fragment.scrub!(scrubber)
  9. .to_html save_with: Nokogiri::XML::Node::SaveOptions::DEFAULT_HTML ^ Nokogiri::XML::Node::SaveOptions::FORMAT
  10. end
  11. let(:fragment) { Loofah.fragment(input) }
  12. context 'when has not allowed tag' do
  13. let(:input) { '<not-allowed><b>asd</b></not-allowed>' }
  14. let(:target) { '<b>asd</b>' }
  15. it { is_expected.to eq target }
  16. end
  17. context 'when has not allowed tag in not allowed' do
  18. let(:input) { '<not-allowed><not-allowed>asd</not-allowed></not-allowed>' }
  19. let(:target) { 'asd' }
  20. it { is_expected.to eq target }
  21. end
  22. context 'when has not allowed tag inside of an allowed tag' do
  23. let(:input) { '<div><not-allowed></not-allowed></div>' }
  24. let(:target) { '<div></div>' }
  25. it { is_expected.to eq target }
  26. end
  27. context 'when insecure source' do
  28. let(:input) { '<img src="http://example.org/image.jpg">' }
  29. let(:target) { '' }
  30. it { is_expected.to eq target }
  31. end
  32. context 'when has not allowed classes' do
  33. let(:input) { '<div class="to-be-removed js-signatureMarker">test</div>' }
  34. let(:target) { '<div class="js-signatureMarker">test</div>' }
  35. it { is_expected.to eq target }
  36. end
  37. context 'when has width and height attributes' do
  38. let(:input) { '<img width="100px" height="100px" other="true">' }
  39. let(:target) { '<img style="width:100px;height:100px;">' }
  40. it { is_expected.to eq target }
  41. end
  42. context 'when has width and max-width attributes' do
  43. let(:input) { '<img width="100px" style="max-width: 600px">' }
  44. let(:target) { '<img style="max-width: 600px;width:100px;">' }
  45. it { is_expected.to eq target }
  46. end
  47. context 'when has not allowed attributes' do
  48. let(:input) { '<div width="100px" style="color:#ff0000" other="true">test</div>' }
  49. let(:target) { '<div style="color:#ff0000;">test</div>' }
  50. it { is_expected.to eq target }
  51. end
  52. context 'when has style' do
  53. let(:input) { '<div style="color:white">test</div><div style="color:#ff0000;">test</div>' }
  54. let(:target) { '<div>test</div><div style="color:#ff0000;">test</div>' }
  55. it { is_expected.to eq target }
  56. end
  57. context 'when has executeable link' do
  58. let(:input) { '<img style="width:100%" src="javascript:alert()">' }
  59. let(:target) { '' }
  60. it { is_expected.to eq target }
  61. it 'does not mark remote content as removed' do
  62. expect { actual }.not_to change(scrubber, :remote_content_removed)
  63. end
  64. end
  65. context 'when has an image with a proper link' do
  66. let(:input) { '<img style="width:100%" src="https://zammad.org/dummy.png">' }
  67. let(:target) { '' }
  68. it { is_expected.to eq target }
  69. it 'does mark remote content as removed' do
  70. expect { actual }.to change(scrubber, :remote_content_removed).from(false).to(true)
  71. end
  72. end
  73. end
  74. end