sanitizer-removeUnsafe.tentative.html (3272B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 </head> 7 <body> 8 <script> 9 test(t => { 10 // Create an empty config. 11 let s = new Sanitizer({}); 12 // Remove everything unsafe. 13 s.removeUnsafe(); 14 15 let config = s.get(); 16 assert_false('elements' in config, "no elements"); 17 assert_false('replaceWithChildrenElements' in config, "no replaceWithChildrenElements"); 18 assert_false('attributes' in config, "no attributes"); 19 20 // https://wicg.github.io/sanitizer-api/#built-in-safe-baseline-configuration 21 const SAFE_BASELINE = { 22 "removeElements": [ 23 { 24 "namespace": "http://www.w3.org/1999/xhtml", 25 "name": "embed" 26 }, 27 { 28 "namespace": "http://www.w3.org/1999/xhtml", 29 "name": "frame" 30 }, 31 { 32 "namespace": "http://www.w3.org/1999/xhtml", 33 "name": "iframe" 34 }, 35 { 36 "namespace": "http://www.w3.org/1999/xhtml", 37 "name": "object" 38 }, 39 { 40 "namespace": "http://www.w3.org/1999/xhtml", 41 "name": "script" 42 }, 43 { 44 "namespace": "http://www.w3.org/2000/svg", 45 "name": "script" 46 }, 47 { 48 "namespace": "http://www.w3.org/2000/svg", 49 "name": "use" 50 } 51 ], 52 "removeAttributes": [] 53 }; 54 55 assert_equals(config.removeElements.length, SAFE_BASELINE.removeElements.length); 56 for (let i = 0; i < SAFE_BASELINE.removeElements.length; i++) { 57 let element = config.removeElements[i]; 58 assert_own_property(element, "name"); 59 assert_equals(element.name, SAFE_BASELINE.removeElements[i].name); 60 assert_own_property(element, "namespace"); 61 assert_equals(element.namespace, SAFE_BASELINE.removeElements[i].namespace); 62 } 63 64 // This list depends on the implementation defined "event handler content attributes" 65 assert_true(config.removeAttributes.length > 0, "Has removeAttributes"); 66 for (let attribute of config.removeAttributes) { 67 assert_own_property(attribute, "name"); 68 assert_true(attribute.name.startsWith("on"), `attribute '${attribute.name}' starts with "on"`); 69 assert_own_property(attribute, "namespace"); // XXX Maybe optional? 70 assert_equals(attribute.namespace, null, "attribute is in null namespace"); 71 } 72 }, "removeUnsafe removes the right elements and attributes"); 73 74 test(t => { 75 let s = new Sanitizer("default"); 76 let before = s.get(); 77 78 let s2 = new Sanitizer("default"); 79 s2.removeUnsafe(); 80 let after = s2.get(); 81 82 // None of the default config elements are unsafe. 83 assert_true(before.elements.length > 0); 84 assert_equals(before.elements.length, after.elements.length, "elements don't change"); 85 86 // None of the default config attributes are unsafe. 87 assert_true(before.attributes.length > 0); 88 assert_equals(before.attributes.length, after.attributes.length, "attributes don't change"); 89 90 // Not in default config. 91 assert_false('replaceWithChildrenElements' in before); 92 assert_false('replaceWithChildrenElements' in after); 93 assert_false('removeElements' in before); 94 assert_false('removeElements' in after); 95 assert_false('removeAttributes' in before); 96 assert_false('removeAttributes' in after); 97 }, "removeUnsafe with default config") 98 </script> 99 </body> 100 </html>