test_sanitizer_api.html (3440B)
1 <!DOCTYPE HTML> 2 <title>Test sanitizer api</title> 3 <script src="/tests/SimpleTest/SimpleTest.js"></script> 4 <link rel="stylesheet" href="/tests/SimpleTest/test.css" /> 5 <script type="text/javascript"> 6 "use strict"; 7 /* global Sanitizer */ 8 // we're not done after "onload" 9 SimpleTest.waitForExplicitFinish(); 10 (async function() { 11 // Ensure Sanitizer is not exposed when the pref is false 12 const isEnabled = SpecialPowers.getBoolPref("dom.security.sanitizer.enabled"); 13 if (!isEnabled) { 14 ok(false, "This test should only be run with dom.security.sanitizer.enabled set to true"); 15 SimpleTest.finish(); 16 } 17 18 // basic interface smoke test 19 ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on"); 20 const mySanitizer = new Sanitizer(); 21 ok(mySanitizer, "Sanitizer constructor works"); 22 ok("setHTML" in Element.prototype, "Element.setHTML exists"); 23 24 // testing sanitizer results 25 const testCases = [ 26 { 27 testString: "<p>hello</p>", 28 testExpected: "<p>hello</p>", 29 sanitizerOptions: {} 30 }, 31 { 32 testString: "<p>hello</p>", 33 testExpected: "<p>hello</p>", 34 sanitizerOptions: "default" 35 }, 36 /* 37 { 38 // script element encoded to not confuse the HTML parser and end execution here 39 testString: "<p>second test</p><script>alert(1)\x3C/script>", 40 testExpected: "<p>second test</p>", 41 sanitizerOptions: {}, 42 }, 43 { 44 // test for the elements option 45 testString: "<p>hello <i>folks</i></p>", 46 testExpected: "<p>hello folks</p>", 47 sanitizerOptions: { elements: ["p"] }, 48 }, 49 { 50 // test for the replaceWithChildrenElements option 51 testString: "<p>hello <i>folks</i></p>", 52 testExpected: "<p>hello folks</p>", 53 sanitizerOptions: { replaceWithChildrenElements: ["i"] }, 54 }, 55 */ 56 // TODO: Unknown attributes aren't supported yet. 57 // { 58 // // test for the allowAttributes option 59 // testString: `<p haha="lol">hello</p>`, 60 // testExpected: `<p haha="lol">hello</p>`, 61 // sanitizerOptions: { unknownMarkup: true, attributes: ["haha"] }, 62 // }, 63 /* 64 { 65 // confirming the inverse 66 testString: `<p haha="lol">hello</p>`, 67 testExpected: `<p>hello</p>`, 68 sanitizerOptions: {}, 69 }, 70 { 71 // test for the removeAttributes option 72 testString: `<p title="dropme">hello</p>`, 73 testExpected: `<p>hello</p>`, 74 sanitizerOptions: { removeAttributes: ['title'] }, 75 }, 76 { 77 // confirming the inverse 78 testString: `<p title="dontdropme">hello</p>`, 79 testExpected: `<p title="dontdropme">hello</p>`, 80 sanitizerOptions: {}, 81 }, 82 { 83 // if an attribute is allowed and removed, the remove will take preference 84 testString: `<p title="lol">hello</p>`, 85 testExpected: `<p>hello</p>`, 86 sanitizerOptions: { 87 attributes: ["title"], 88 removeAttributes: ["title"], 89 }, 90 }, 91 */ 92 ]; 93 94 95 const div = document.createElement("div"); 96 for (let test of testCases) { 97 const {testString, testExpected, sanitizerOptions} = test; 98 99 try { 100 div.setHTML(testString, { sanitizer: sanitizerOptions }); 101 is(div.innerHTML, testExpected, `div.setHTML should turn '${testString}' into '${testExpected}' (options: ${JSON.stringify(sanitizerOptions)})`); 102 } 103 catch (e) { 104 ok(false, 'Error in setHTML() test: ' + e) 105 } 106 } 107 108 SimpleTest.finish(); 109 })(); 110 </script>