sanitizer-modifiers.tentative.html (16642B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="./support/util.js"></script> 7 </head> 8 <body> 9 <script> 10 const NS = "http://example.org/"; 11 12 test(() => { 13 let s = new Sanitizer({ attributes: [] }); 14 15 assert_true(s.allowAttribute("id")); 16 assert_config(s.get(), { attributes: ["id"] }); 17 18 assert_false(s.allowAttribute({ name: "id", namespace: null })); 19 assert_config(s.get(), { attributes: ["id"] }); 20 21 assert_true(s.allowAttribute({ name: "id", namespace: NS })); 22 assert_config(s.get(), { 23 attributes: ["id", { name: "id", namespace: NS }], 24 removeElements: [], 25 }); 26 }, "sanitizer.allowAttribute() with global attributes"); 27 28 test(() => { 29 let s = new Sanitizer({ removeAttributes: ["title"] }); 30 31 assert_false(s.allowAttribute("id")); 32 assert_config(s.get(), { removeAttributes: ["title"] }); 33 34 assert_false(s.allowAttribute({ name: "title", namespace: NS })); 35 assert_config(s.get(), { removeAttributes: ["title"] }); 36 37 assert_true(s.allowAttribute("title")); 38 assert_config(s.get(), { removeAttributes: [] }); 39 }, "sanitizer.allowAttribute() with global removeAttributes"); 40 41 test(() => { 42 let s = new Sanitizer({ 43 attributes: [], 44 elements: [{ name: "id", attributes: ["href", { name: "title", namespace: NS }] }], 45 }); 46 47 assert_true(s.allowAttribute("class")); 48 assert_config(s.get(), { attributes: ["class"] }); 49 50 assert_false(s.allowAttribute("class")); 51 assert_config(s.get(), { attributes: ["class"] }); 52 53 assert_true(s.allowAttribute("title")); 54 assert_config(s.get(), { 55 attributes: ["class", "title"], 56 elements: [{ name: "id", attributes: ["href", { name: "title", namespace: NS }] }], 57 }); 58 59 assert_true(s.allowAttribute({ name: "title", namespace: NS })); 60 assert_config(s.get(), { 61 attributes: ["class", "title", { name: "title", namespace: NS }], 62 elements: [{ name: "id", attributes: ["href"] }], 63 }); 64 65 assert_false(s.allowAttribute({ name: "title", namespace: NS })); 66 assert_config(s.get(), { 67 attributes: ["class", "title", { name: "title", namespace: NS }], 68 elements: [{ name: "id", attributes: ["href"] }], 69 }); 70 }, "sanitizer.allowAttribute() with global attributes and elements"); 71 72 test(() => { 73 const ELEMENTS = [{ name: "div", attributes: ["href"] }]; 74 75 let s = new Sanitizer({ 76 removeAttributes: ["id"], 77 elements: ELEMENTS, 78 }); 79 80 assert_false(s.allowAttribute("class")); 81 assert_config(s.get(), { 82 removeAttributes: ["id"], 83 elements: ELEMENTS, 84 }); 85 86 assert_true(s.allowAttribute("id")); 87 assert_config(s.get(), { 88 removeAttributes: [], 89 elements: ELEMENTS, 90 }); 91 92 assert_false(s.allowAttribute("href")); 93 assert_config(s.get(), { 94 removeAttributes: [], 95 elements: ELEMENTS, 96 }); 97 98 assert_false(s.allowAttribute("title")); 99 assert_config(s.get(), { 100 removeAttributes: [], 101 elements: ELEMENTS, 102 }); 103 }, "sanitizer.allowAttribute() with global removeAttributes and element's attributes"); 104 105 test(() => { 106 const ELEMENTS = [{ name: "div", removeAttributes: ["href"] }]; 107 108 let s = new Sanitizer({ 109 removeAttributes: ["id"], 110 elements: ELEMENTS, 111 }); 112 113 assert_false(s.allowAttribute("class")); 114 assert_config(s.get(), { 115 removeAttributes: ["id"], 116 elements: ELEMENTS, 117 }); 118 119 assert_true(s.allowAttribute("id")); 120 assert_config(s.get(), { 121 removeAttributes: [], 122 elements: ELEMENTS, 123 }); 124 125 assert_false(s.allowAttribute("href")); 126 assert_config(s.get(), { 127 removeAttributes: [], 128 elements: ELEMENTS, 129 }); 130 131 assert_false(s.allowAttribute("title")); 132 assert_config(s.get(), { 133 removeAttributes: [], 134 elements: ELEMENTS, 135 }); 136 }, "sanitizer.allowAttribute() with global removeAttributes and element's removeAttributes"); 137 138 139 test(() => { 140 let s = new Sanitizer({ 141 attributes: ["id"], 142 }); 143 144 assert_false(s.removeAttribute("title")); 145 assert_config(s.get(), { attributes: ["id"] }); 146 147 assert_false(s.removeAttribute({ name: "id", namespace: NS })); 148 assert_config(s.get(), { attributes: ["id"] }); 149 150 assert_true(s.removeAttribute("id")); 151 assert_config(s.get(), { attributes: [] }); 152 }, "sanitizer.removeAttribute() with global attributes"); 153 154 test(() => { 155 let s = new Sanitizer({ 156 removeAttributes: ["id"], 157 }); 158 159 assert_true(s.removeAttribute("title")); 160 assert_config(s.get(), { removeAttributes: ["id", "title"] }); 161 162 assert_true(s.removeAttribute({ name: "id", namespace: NS })); 163 assert_config(s.get(), { removeAttributes: ["id", "title", { name: "id", namespace: NS }] }); 164 165 assert_false(s.removeAttribute("id")); 166 assert_config(s.get(), { removeAttributes: ["id", "title", { name: "id", namespace: NS }] }); 167 }, "sanitizer.removeAttribute() with global removeAttributes"); 168 169 test(() => { 170 let s = new Sanitizer({ 171 attributes: ["id", "title"], 172 elements: [{ name: "div", attributes: ["class"], removeAttributes: ["title"] }], 173 }); 174 175 assert_false(s.removeAttribute("class")); 176 assert_config(s.get(), { 177 attributes: ["id", "title"], 178 elements: [{ name: "div", attributes: ["class"], removeAttributes: ["title"] }], 179 }); 180 181 assert_true(s.removeAttribute("id")); 182 assert_config(s.get(), { 183 attributes: ["title"], 184 elements: [{ name: "div", attributes: ["class"], removeAttributes: ["title"] }], 185 }); 186 187 assert_false(s.removeAttribute("id")); 188 assert_config(s.get(), { 189 attributes: ["title"], 190 elements: [{ name: "div", attributes: ["class"], removeAttributes: ["title"] }], 191 }); 192 193 assert_true(s.removeAttribute("title")); 194 assert_config(s.get(), { 195 attributes: [], 196 elements: [{ name: "div", attributes: ["class"], removeAttributes: [] }], 197 }); 198 }, "sanitizer.removeAttribute() with global attributes and elements"); 199 200 test(() => { 201 let s = new Sanitizer({ 202 removeAttributes: ["title"], 203 elements: [{ name: "div", attributes: ["class"] }], 204 }); 205 206 assert_false(s.removeAttribute({ name: "title", namespace: null })); 207 assert_config(s.get(), { 208 removeAttributes: ["title"], 209 elements: [{ name: "div", attributes: ["class"] }], 210 }); 211 212 assert_true(s.removeAttribute("dir")); 213 assert_config(s.get(), { 214 removeAttributes: ["dir", "title"], 215 elements: [{ name: "div", attributes: ["class"] }], 216 }); 217 218 assert_true(s.removeAttribute("class")); 219 assert_config(s.get(), { 220 removeAttributes: ["class", "dir", "title"], 221 elements: [{ name: "div", attributes: [] }], 222 }); 223 }, "sanitizer.removeAttribute() with global removeAttributes and element's attributes"); 224 225 test(() => { 226 let s = new Sanitizer({ 227 removeAttributes: ["title"], 228 elements: [{ name: "div", removeAttributes: ["id"] }], 229 }); 230 231 assert_false(s.removeAttribute({ name: "title", namespace: null })); 232 assert_config(s.get(), { 233 removeAttributes: ["title"], 234 elements: [{ name: "div", removeAttributes: ["id"] }], 235 }); 236 237 assert_true(s.removeAttribute("dir")); 238 assert_config(s.get(), { 239 removeAttributes: ["dir", "title"], 240 elements: [{ name: "div", removeAttributes: ["id"] }], 241 }); 242 243 assert_true(s.removeAttribute("id")); 244 assert_config(s.get(), { 245 removeAttributes: ["dir", "id", "title"], 246 elements: [{ name: "div", removeAttributes: [] }], 247 }); 248 }, "sanitizer.removeAttribute() with global removeAttributes and element's removeAttributes"); 249 250 test(() => { 251 let s = new Sanitizer({ 252 elements: ["p", { name: "p", namespace: NS }], 253 replaceWithChildrenElements: ["b"], 254 }); 255 256 assert_false(s.removeElement("span")); 257 assert_config(s.get(), { 258 elements: [{ name: "p", namespace: NS }, "p"], 259 replaceWithChildrenElements: ["b"], 260 }); 261 262 assert_true(s.removeElement("b")); 263 assert_config(s.get(), { 264 elements: [{ name: "p", namespace: NS }, "p"], 265 replaceWithChildrenElements: [], 266 }); 267 268 assert_true(s.removeElement("p")); 269 assert_config(s.get(), { 270 elements: [{ name: "p", namespace: NS }], 271 replaceWithChildrenElements: [], 272 }); 273 274 assert_true(s.removeElement({ name: "p", namespace: NS })); 275 assert_config(s.get(), { 276 elements: [], 277 replaceWithChildrenElements: [], 278 }); 279 }, "sanitizer.removeElement() with global elements"); 280 281 test(() => { 282 let s = new Sanitizer({ 283 removeElements: ["p", { name: "p", namespace: NS }], 284 replaceWithChildrenElements: ["b"], 285 }); 286 287 assert_false(s.removeElement("p")); 288 assert_config(s.get(), { 289 removeElements: [{ name: "p", namespace: NS }, "p"], 290 replaceWithChildrenElements: ["b"], 291 }); 292 293 assert_false(s.removeElement({ name: "p", namespace: NS })); 294 assert_config(s.get(), { 295 removeElements: [{ name: "p", namespace: NS }, "p"], 296 replaceWithChildrenElements: ["b"], 297 }); 298 299 assert_true(s.removeElement("span")); 300 assert_config(s.get(), { 301 removeElements: [{ name: "p", namespace: NS }, "p", "span"], 302 replaceWithChildrenElements: ["b"], 303 }); 304 305 assert_true(s.removeElement("b")); 306 assert_config(s.get(), { 307 removeElements: [{ name: "p", namespace: NS }, "b", "p", "span"], 308 replaceWithChildrenElements: [], 309 }); 310 }, "sanitizer.removeElement() with global removeElements"); 311 312 test(() => { 313 let s = new Sanitizer({ 314 replaceWithChildrenElements: ["a"], 315 elements: ["b"], 316 }); 317 318 assert_false(s.replaceElementWithChildren("a")); 319 assert_config(s.get(), { 320 replaceWithChildrenElements: ["a"], 321 elements: ["b"], 322 }); 323 324 assert_true(s.replaceElementWithChildren("span")); 325 assert_config(s.get(), { 326 replaceWithChildrenElements: ["a", "span"], 327 elements: ["b"], 328 }); 329 330 assert_true(s.replaceElementWithChildren("b")); 331 assert_config(s.get(), { 332 replaceWithChildrenElements: ["a", "b", "span"], 333 elements: [], 334 }); 335 }, "sanitizer.replaceElementWithChildren() with global elements"); 336 337 test(() => { 338 let s = new Sanitizer({ 339 replaceWithChildrenElements: ["a"], 340 removeElements: ["b"], 341 }); 342 343 assert_false(s.replaceElementWithChildren("a")); 344 assert_config(s.get(), { 345 replaceWithChildrenElements: ["a"], 346 removeElements: ["b"], 347 }); 348 349 assert_true(s.replaceElementWithChildren("span")); 350 assert_config(s.get(), { 351 replaceWithChildrenElements: ["a", "span"], 352 removeElements: ["b"], 353 }); 354 355 assert_true(s.replaceElementWithChildren("b")); 356 assert_config(s.get(), { 357 replaceWithChildrenElements: ["a", "b", "span"], 358 removeElements: [], 359 }); 360 }, "sanitizer.replaceElementWithChildren() with global removeElements"); 361 362 test(() => { 363 let s = new Sanitizer({ 364 elements: ["a"], 365 replaceWithChildrenElements: ["b"] 366 }); 367 368 assert_false(s.allowElement("a")); 369 assert_config(s.get(), { 370 elements: ["a"], 371 replaceWithChildrenElements: ["b"] 372 }); 373 374 assert_true(s.allowElement({name: "a", namespace: NS})); 375 assert_config(s.get(), { 376 elements: [{name: "a", namespace: NS}, "a"], 377 replaceWithChildrenElements: ["b"] 378 }); 379 380 assert_true(s.allowElement("b")); 381 assert_config(s.get(), { 382 elements: [{name: "a", namespace: NS}, "a", "b"], 383 replaceWithChildrenElements: [] 384 }); 385 }, "sanitizer.allowElement() with global elements"); 386 387 test(() => { 388 let s = new Sanitizer({ 389 removeElements: ["a"], 390 replaceWithChildrenElements: ["b"] 391 }); 392 393 assert_false(s.allowElement("span")); 394 assert_config(s.get(), { 395 removeElements: ["a"], 396 replaceWithChildrenElements: ["b"] 397 }); 398 399 assert_false(s.allowElement({name: "a", namespace: NS})); 400 assert_config(s.get(), { 401 removeElements: ["a"], 402 replaceWithChildrenElements: ["b"] 403 }); 404 405 assert_true(s.allowElement("b")); 406 assert_config(s.get(), { 407 removeElements: ["a"], 408 replaceWithChildrenElements: [] 409 }); 410 411 // If element["attributes"] exists or element["removeAttributes"] with default « » is not empty: 412 // The user agent may report a warning to the console that this operation is not supported. 413 // Return false. 414 assert_false(s.allowElement({name: "a", attributes: ["dir"]})); 415 assert_config(s.get(), { 416 removeElements: ["a"], 417 replaceWithChildrenElements: [] 418 }); 419 assert_false(s.allowElement({name: "a", removeAttributes: ["dir"]})); 420 assert_config(s.get(), { 421 removeElements: ["a"], 422 replaceWithChildrenElements: [] 423 }); 424 assert_false(s.allowElement({name: "a", attributes: ["title"], removeAttributes: ["dir"]})); 425 assert_config(s.get(), { 426 removeElements: ["a"], 427 replaceWithChildrenElements: [] 428 }); 429 assert_true(s.allowElement({name: "a", removeAttributes: [] })); 430 assert_config(s.get(), { 431 removeElements: [], 432 replaceWithChildrenElements: [] 433 }); 434 }, "sanitizer.allowElement() with global removeElements"); 435 436 test(() => { 437 let s = new Sanitizer({ 438 elements: [], 439 attributes: ["id"] 440 }); 441 442 assert_true(s.allowElement({name: "p", attributes: ["id", "title"]})); 443 assert_config(s.get(), { 444 elements: [{name: "p", attributes: ["title"], removeAttributes: undefined}] 445 }); 446 // Duplicate 447 assert_false(s.allowElement({name: "p", attributes: ["id", "title"]})); 448 assert_config(s.get(), { 449 elements: [{name: "p", attributes: ["title"], removeAttributes: undefined}] 450 }); 451 452 453 assert_true(s.allowElement({name: "p", removeAttributes: ["id", "class"]})); 454 assert_config(s.get(), { 455 elements: [{name: "p", attributes: undefined, removeAttributes: ["id"]}] 456 }) 457 // Duplicate 458 assert_false(s.allowElement({name: "p", removeAttributes: ["id", "class"]})); 459 assert_config(s.get(), { 460 elements: [{name: "p", attributes: undefined, removeAttributes: ["id"]}] 461 }) 462 463 464 assert_true(s.allowElement({name: "p", attributes: ["id", "dir"], removeAttributes: ["id", "lang"]})); 465 assert_config(s.get(), { 466 elements: [{name: "p", attributes: ["dir"], removeAttributes: ["id"]}] 467 }); 468 // Duplicate 469 assert_false(s.allowElement({name: "p", attributes: ["id", "dir"], removeAttributes: ["id", "lang"]})); 470 assert_config(s.get(), { 471 elements: [{name: "p", attributes: ["dir"], removeAttributes: ["id"]}] 472 }); 473 474 475 assert_true(s.allowElement({name: "p"})); 476 assert_config(s.get(), { 477 elements: [{name: "p", attributes: undefined, removeAttributes: []}] 478 }); 479 480 assert_false(s.allowElement("p")); 481 assert_config(s.get(), { 482 elements: [{name: "p", attributes: undefined, removeAttributes: []}] 483 }); 484 485 // Set element["attributes"] to remove duplicates from element["attributes"]. 486 assert_true(s.allowElement({name: "p", attributes: ["dir", "dir"]})); 487 assert_config(s.get(), { 488 elements: [{name: "p", attributes: ["dir"], removeAttributes: undefined}] 489 }); 490 491 // Set element["removeAttributes"] to remove duplicates from element["removeAttributes"]. 492 assert_true(s.allowElement({name: "p", removeAttributes: ["id", "id"]})); 493 assert_config(s.get(), { 494 elements: [{name: "p", attributes: undefined, removeAttributes: ["id"]}] 495 }); 496 497 assert_true(s.allowElement({name: "p", attributes: ["dir", "dir"], removeAttributes: ["id", "id"]})); 498 assert_config(s.get(), { 499 elements: [{name: "p", attributes: ["dir"], removeAttributes: ["id"]}] 500 }); 501 }, "sanitizer.allowElement() with global elements and attributes"); 502 503 test(() => { 504 let s = new Sanitizer({ 505 elements: [], 506 removeAttributes: ["id"] 507 }); 508 509 assert_true(s.allowElement({name: "p", attributes: ["id", "title"]})); 510 assert_config(s.get(), { 511 elements: [{name: "p", attributes: ["title"], removeAttributes: undefined}] 512 }); 513 // Duplicate 514 assert_false(s.allowElement({name: "p", attributes: ["id", "title"]})); 515 assert_config(s.get(), { 516 elements: [{name: "p", attributes: ["title"], removeAttributes: undefined}] 517 }); 518 519 assert_true(s.allowElement({name: "p", removeAttributes: ["id", "class"]})); 520 assert_config(s.get(), { 521 elements: [{name: "p", attributes: undefined, removeAttributes: ["class"]}] 522 }); 523 // Duplicate 524 assert_false(s.allowElement({name: "p", removeAttributes: ["id", "class"]})); 525 assert_config(s.get(), { 526 elements: [{name: "p", attributes: undefined, removeAttributes: ["class"]}] 527 }); 528 529 assert_true(s.allowElement({ name: "p", attributes: ["id", "dir", "lang"], removeAttributes: ["id", "lang"] })) 530 assert_config(s.get(), { 531 elements: [{name: "p", attributes: ["dir"], removeAttributes: undefined}] 532 }); 533 // Duplicate 534 assert_false(s.allowElement({ name: "p", attributes: ["id", "dir", "lang"], removeAttributes: ["id", "lang"] })) 535 assert_config(s.get(), { 536 elements: [{name: "p", attributes: ["dir"], removeAttributes: undefined}] 537 }); 538 539 assert_true(s.allowElement({name: "p"})); 540 assert_config(s.get(), { 541 elements: [{name: "p", attributes: undefined, removeAttributes: []}] 542 }); 543 544 assert_false(s.allowElement("p")); 545 assert_config(s.get(), { 546 elements: [{name: "p", attributes: undefined, removeAttributes: []}] 547 }); 548 }, "sanitizer.allowElement() with global elements and removeAttributes"); 549 </script> 550 </body> 551 </html>