#![cfg(test)]
use super::rules::predefined::*;
use super::rules::{Element, Rules};
use super::sanitize_str;
#[test]
fn empty() {
assert_eq!(&sanitize_str(&BASIC, "").unwrap(), "");
assert_eq!(&sanitize_str(&DEFAULT, "").unwrap(), "");
assert_eq!(&sanitize_str(&RELAXED, "").unwrap(), "");
assert_eq!(&sanitize_str(&RESTRICTED, "").unwrap(), "");
assert_eq!(&sanitize_str(&UNTRUSTED, "").unwrap(), "");
}
/* basic */
const BASIC_HTML: &str = "Lorem ipsum dolor sit
amet ";
#[test]
fn basic_default() {
assert_eq!(
&sanitize_str(&DEFAULT, BASIC_HTML).unwrap(),
"Lorem ipsum dolor sit amet "
);
}
#[test]
fn basic_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, BASIC_HTML).unwrap(),
"Lorem ipsum dolor sit amet alert(\"hello world\");"
);
}
#[test]
fn basic_basic() {
assert_eq!(
&sanitize_str(&BASIC, BASIC_HTML).unwrap(),
"Lorem ipsum dolor sit
amet alert(\"hello world\");"
);
}
#[test]
fn basic_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, BASIC_HTML).unwrap(),
"Lorem ipsum dolor sit
amet alert(\"hello world\");"
);
}
/* malformed */
const MALFORMED_HTML: &str = "Lorem ipsum dolor sit
amet ";
#[test]
fn malicious_default() {
assert_eq!(
&sanitize_str(&DEFAULT, MALICIOUS_HTML).unwrap(),
"Lorem ipsum dolor sit amet <script>alert(\"hello world\");"
);
}
#[test]
fn malicious_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, MALICIOUS_HTML).unwrap(),
"Lorem ipsum dolor sit amet <script>alert(\"hello world\");"
);
}
#[test]
fn malicious_basic() {
assert_eq!(
&sanitize_str(&BASIC, MALICIOUS_HTML).unwrap(),
"Lorem ipsum dolor sit
amet <script>alert(\"hello world\");"
);
}
#[test]
fn malicious_untrusted() {
assert_eq!(
&sanitize_str(&UNTRUSTED, MALICIOUS_HTML).unwrap(),
"Lorem ipsum dolor sit amet <script>alert(\"hello world\");"
);
}
#[test]
fn malicious_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, MALICIOUS_HTML).unwrap(),
"Lorem ipsum dolor sit
amet <script>alert(\"hello world\");"
);
}
/* raw-comment */
const RAW_COMMENT_HTML: &str = "Hello";
#[test]
fn raw_comment_default() {
assert_eq!(&sanitize_str(&DEFAULT, RAW_COMMENT_HTML).unwrap(), "Hello");
}
#[test]
fn raw_comment_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, RAW_COMMENT_HTML).unwrap(),
"Hello"
);
}
#[test]
fn raw_comment_basic() {
assert_eq!(&sanitize_str(&BASIC, RAW_COMMENT_HTML).unwrap(), "Hello");
}
#[test]
fn raw_comment_relaxed() {
assert_eq!(&sanitize_str(&RELAXED, RAW_COMMENT_HTML).unwrap(), "Hello");
}
/* protocol-based JS injection: simple, no spaces */
const JS_INJECTION_HTML_1: &str = "foo";
#[test]
fn js_injection_1_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_1).unwrap(), "foo");
}
#[test]
fn js_injection_1_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_1).unwrap(),
"foo"
);
}
#[test]
fn js_injection_1_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_1).unwrap(),
"foo"
);
}
#[test]
fn js_injection_1_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_1).unwrap(),
"foo"
);
}
/* protocol-based JS injection: simple, spaces before */
const JS_INJECTION_HTML_2: &str = "foo";
#[test]
fn js_injection_2_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_2).unwrap(), "foo");
}
#[test]
fn js_injection_2_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_2).unwrap(),
"foo"
);
}
#[test]
fn js_injection_2_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_2).unwrap(),
"foo"
);
}
#[test]
fn js_injection_2_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_2).unwrap(),
"foo"
);
}
/* protocol-based JS injection: simple, spaces after */
const JS_INJECTION_HTML_3: &str = "foo";
#[test]
fn js_injection_3_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_3).unwrap(), "foo");
}
#[test]
fn js_injection_3_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_3).unwrap(),
"foo"
);
}
#[test]
fn js_injection_3_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_3).unwrap(),
"foo"
);
}
#[test]
fn js_injection_3_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_3).unwrap(),
"foo"
);
}
/* protocol-based JS injection: simple, spaces before and after */
const JS_INJECTION_HTML_4: &str = "foo";
#[test]
fn js_injection_4_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_4).unwrap(), "foo");
}
#[test]
fn js_injection_4_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_4).unwrap(),
"foo"
);
}
#[test]
fn js_injection_4_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_4).unwrap(),
"foo"
);
}
#[test]
fn js_injection_4_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_4).unwrap(),
"foo"
);
}
/* protocol-based JS injection: preceding colon */
const JS_INJECTION_HTML_5: &str = "foo";
#[test]
fn js_injection_5_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_5).unwrap(), "foo");
}
#[test]
fn js_injection_5_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_5).unwrap(),
"foo"
);
}
#[test]
fn js_injection_5_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_5).unwrap(),
"foo"
);
}
#[test]
fn js_injection_5_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_5).unwrap(),
"foo"
);
}
/* protocol-based JS injection: UTF-8 encoding */
const JS_INJECTION_HTML_6: &str = "foo";
#[test]
fn js_injection_6_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_6).unwrap(), "foo");
}
#[test]
fn js_injection_6_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_6).unwrap(),
"foo"
);
}
#[test]
fn js_injection_6_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_6).unwrap(),
"foo"
);
}
#[test]
fn js_injection_6_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_6).unwrap(),
"foo"
);
}
/* protocol-based JS injection: long UTF-8 encoding */
const JS_INJECTION_HTML_7: &str = "foo";
#[test]
fn js_injection_7_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_7).unwrap(), "foo");
}
#[test]
fn js_injection_7_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_7).unwrap(),
"foo"
);
}
#[test]
fn js_injection_7_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_7).unwrap(),
"foo"
);
}
#[test]
fn js_injection_7_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_7).unwrap(),
"foo"
);
}
/* protocol-based JS injection: long UTF-8 encoding without semicolons */
const JS_INJECTION_HTML_8: &str = "foo";
#[test]
fn js_injection_8_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_8).unwrap(), "foo");
}
#[test]
fn js_injection_8_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_8).unwrap(),
"foo"
);
}
#[test]
fn js_injection_8_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_8).unwrap(),
"foo"
);
}
#[test]
fn js_injection_8_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_8).unwrap(),
"foo"
);
}
/* protocol-based JS injection: hex encoding */
const JS_INJECTION_HTML_9: &str = "foo";
#[test]
fn js_injection_9_default() {
assert_eq!(&sanitize_str(&DEFAULT, JS_INJECTION_HTML_9).unwrap(), "foo");
}
#[test]
fn js_injection_9_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_9).unwrap(),
"foo"
);
}
#[test]
fn js_injection_9_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_9).unwrap(),
"foo"
);
}
#[test]
fn js_injection_9_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_9).unwrap(),
"foo"
);
}
/* protocol-based JS injection: long hex encoding */
const JS_INJECTION_HTML_10: &str = "foo";
#[test]
fn js_injection_10_default() {
assert_eq!(
&sanitize_str(&DEFAULT, JS_INJECTION_HTML_10).unwrap(),
"foo"
);
}
#[test]
fn js_injection_10_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_10).unwrap(),
"foo"
);
}
#[test]
fn js_injection_10_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_10).unwrap(),
"foo"
);
}
#[test]
fn js_injection_10_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_10).unwrap(),
"foo"
);
}
/* protocol-based JS injection: hex encoding without semicolons */
const JS_INJECTION_HTML_11: &str = "foo";
#[test]
fn js_injection_11_default() {
assert_eq!(
&sanitize_str(&DEFAULT, JS_INJECTION_HTML_11).unwrap(),
"foo"
);
}
#[test]
fn js_injection_11_restricted() {
assert_eq!(
&sanitize_str(&RESTRICTED, JS_INJECTION_HTML_11).unwrap(),
"foo"
);
}
#[test]
fn js_injection_11_basic() {
assert_eq!(
&sanitize_str(&BASIC, JS_INJECTION_HTML_11).unwrap(),
"foo"
);
}
#[test]
fn js_injection_11_relaxed() {
assert_eq!(
&sanitize_str(&RELAXED, JS_INJECTION_HTML_11).unwrap(),
"foo"
);
}
/* should translate valid HTML entities */
#[test]
fn misc_1() {
assert_eq!(
&sanitize_str(&DEFAULT, "Don't tasé me & bro!").unwrap(),
"Don't tasé me & bro!"
);
}
/* should translate valid HTML entities while encoding unencoded ampersands */
#[test]
fn misc_2() {
assert_eq!(
&sanitize_str(&DEFAULT, "cookies² & ¼ créme").unwrap(),
"cookies² & ¼ créme"
);
}
/* should never output ' */
#[test]
fn misc_3() {
assert_eq!(
&sanitize_str(
&DEFAULT,
"IE6 isn't a real browser"
)
.unwrap(),
"IE6 isn't a real browser"
);
}
/* should not choke on several instances of the same element in a row */
#[test]
fn misc_4() {
assert_eq!(
&sanitize_str(&DEFAULT, "![](\"http://www.google.com/intl/en_ALL/images/logo.gif\")
").unwrap(),
""
);
}
/* should surround the contents of :whitespace_elements with space characters when removing the element */
#[test]
fn misc_5() {
assert_eq!(
&sanitize_str(&DEFAULT, "foobar
baz").unwrap(),
"foo bar baz"
);
}
#[test]
fn misc_6() {
assert_eq!(
&sanitize_str(&DEFAULT, "foo
bar
baz").unwrap(),
"foo bar baz"
);
}
#[test]
fn misc_7() {
assert_eq!(
&sanitize_str(&DEFAULT, "foo
bar
baz").unwrap(),
"foo bar baz"
);
}
#[test]
fn custom_rules() {
let rules = Rules::new()
.allow_comments(true)
.element(Element::new("b"))
.element(Element::new("span"))
.delete("script")
.delete("style")
.space("br")
.rename("strong", "span");
let html = "Lorem ipsum dolor sit
amet ";
assert_eq!(
&sanitize_str(&rules, html).unwrap(),
"Lorem ipsum dolor sit amet "
);
}