/** * tests for custom method * * @author Zongmin Lei */ var assert = require("assert"); var xss = require("../"); var debug = require("debug")("xss:test"); describe("test custom XSS method", function() { it("#onTag - match tag", function() { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onTag: function(tag, html, options) { debug(arguments); i++; if (i === 1) { assert.equal(tag, "a"); assert.equal(html, ''); assert.equal(options.isClosing, false); assert.equal(options.position, 2); assert.equal(options.sourcePosition, 2); assert.equal(options.isWhite, true); } else if (i === 2) { assert.equal(tag, "b"); assert.equal(html, ""); assert.equal(options.isClosing, false); assert.equal(options.position, 14); assert.equal(options.sourcePosition, 14); assert.equal(options.isWhite, true); } else if (i === 3) { assert.equal(tag, "c"); assert.equal(html, ""); assert.equal(options.isClosing, false); assert.equal(options.position, 17); assert.equal(options.sourcePosition, 17); assert.equal(options.isWhite, false); } else if (i === 4) { assert.equal(tag, "c"); assert.equal(html, ""); assert.equal(options.isClosing, true); assert.equal(options.position, 30); assert.equal(options.sourcePosition, 24); assert.equal(options.isWhite, false); } else if (i === 5) { assert.equal(tag, "b"); assert.equal(html, ""); assert.equal(options.isClosing, true); assert.equal(options.position, 40); assert.equal(options.sourcePosition, 28); assert.equal(options.isWhite, true); } else if (i === 6) { assert.equal(tag, "a"); assert.equal(html, ""); assert.equal(options.isClosing, true); assert.equal(options.position, 44); assert.equal(options.sourcePosition, 32); assert.equal(options.isWhite, true); } else if (i === 7) { assert.equal(tag, "br"); assert.equal(html, "
"); assert.equal(options.isClosing, false); assert.equal(options.position, 48); assert.equal(options.sourcePosition, 36); assert.equal(options.isWhite, true); } else { throw new Error(); } } }); debug(html); assert.equal( html, 'dd<c>haha</c>
ff' ); }); it("#onTag - return new html", function() { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onTag: function(tag, html, options) { debug(html); return html; } }); debug(html); assert.equal(html, source); }); it("#onIgnoreTag - match tag", function() { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onIgnoreTag: function(tag, html, options) { debug(arguments); i++; if (i === 1) { assert.equal(tag, "c"); assert.equal(html, ""); assert.equal(options.isClosing, false); assert.equal(options.position, 17); assert.equal(options.sourcePosition, 17); assert.equal(options.isWhite, false); } else if (i === 2) { assert.equal(tag, "c"); assert.equal(html, ""); assert.equal(options.isClosing, true); assert.equal(options.position, 30); assert.equal(options.sourcePosition, 24); assert.equal(options.isWhite, false); } else { throw new Error(); } } }); debug(html); assert.equal( html, 'dd<c>haha</c>
ff' ); }); it("#onIgnoreTag - return new html", function() { var source = 'ddhaha
ff'; var i = 0; var html = xss(source, { onIgnoreTag: function(tag, html, options) { debug(html); return "[" + (options.isClosing ? "/" : "") + "removed]"; } }); debug(html); assert.equal( html, 'dd[removed]haha[/removed]
ff' ); }); it("#onTagAttr - match attr", function() { var source = 'hi'; var i = 0; var html = xss(source, { onTagAttr: function(tag, name, value, isWhiteAttr) { debug(arguments); assert.equal(tag, "a"); i++; if (i === 1) { assert.equal(name, "href"); assert.equal(value, "#"); assert.equal(isWhiteAttr, true); } else if (i === 2) { assert.equal(name, "target"); assert.equal(value, "_blank"); assert.equal(isWhiteAttr, true); } else if (i === 3) { assert.equal(name, "checked"); assert.equal(value, ""); assert.equal(isWhiteAttr, false); } else if (i === 4) { assert.equal(name, "data-a"); assert.equal(value, "b"); assert.equal(isWhiteAttr, false); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'hi'); }); it("#onTagAttr - match attr", function() { var source = 'hi'; var i = 0; var html = xss(source, { onTagAttr: function(tag, name, value, isWhiteAttr) { debug(arguments); return "$" + name + "$"; } }); debug(html); assert.equal(html, "hi"); }); it("#onIgnoreTagAttr - match attr", function() { var source = 'hi'; var i = 0; var html = xss(source, { onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) { debug(arguments); assert.equal(tag, "a"); i++; if (i === 1) { assert.equal(name, "checked"); assert.equal(value, ""); assert.equal(isWhiteAttr, false); } else if (i === 2) { assert.equal(name, "data-a"); assert.equal(value, "b"); assert.equal(isWhiteAttr, false); } else { throw new Error(); } } }); debug(html); assert.equal(html, 'hi'); }); it("#onIgnoreTagAttr - match attr", function() { var source = 'hi'; var i = 0; var html = xss(source, { onIgnoreTagAttr: function(tag, name, value, isWhiteAttr) { debug(arguments); return "$" + name + "$"; } }); debug(html); assert.equal(html, 'hi'); }); it("#escapeHtml - default", function() { var source = "yybb"; var html = xss(source); debug(html); assert.equal(html, "<x>yy</x>bb"); }); it("#escapeHtml - return new value", function() { var source = "yybb"; var html = xss(source, { escapeHtml: function(str) { return str ? "[" + str + "]" : str; } }); debug(html); assert.equal(html, "[][yy][][bb]"); }); it("#safeAttrValue - default", function() { var source = 'link'; var html = xss(source); debug(html); assert.equal(html, 'link'); }); it("#safeAttrValue - return new value", function() { var source = 'link'; var html = xss(source, { safeAttrValue: function(tag, name, value) { debug(arguments); assert.equal(tag, "a"); return "$" + name + "$"; } }); debug(html); assert.equal(html, 'link'); }); it("#stripIgnoreTag", function() { var source = "yybb"; var html = xss(source, { stripIgnoreTag: true }); debug(html); assert.equal(html, "yybb"); }); it("#stripTagBody - true", function() { var source = "linkhahaabk"; var html = xss(source, { stripIgnoreTagBody: true }); debug(html); assert.equal(html, "linkbk"); }); it("#stripIgnoreTagBody - *", function() { var source = "linkhahaabk"; var html = xss(source, { stripIgnoreTagBody: "*" }); debug(html); assert.equal(html, "linkbk"); }); it("#stripIgnoreTagBody - ['x']", function() { var source = "linkhahaabk"; var html = xss(source, { stripIgnoreTagBody: ["x"] }); debug(html); assert.equal(html, "link<y>a<y></y>b</y>k"); }); it("#stripIgnoreTagBody - ['x'] & onIgnoreTag", function() { var source = "linkhahaabk"; var html = xss(source, { stripIgnoreTagBody: ["x"], onIgnoreTag: function(tag, html, options) { return "$" + tag + "$"; } }); debug(html); assert.equal(html, "link$y$a$y$$y$b$y$k"); }); it("#stripIgnoreTag & stripIgnoreTagBody", function() { var source = "alert(/xss/);"; var html = xss(source, { stripIgnoreTag: true, stripIgnoreTagBody: ["script"] }); debug(html); assert.equal(html, ""); }); it("#stripIgnoreTag & stripIgnoreTagBody - 2", function() { var source = "ooxxalert(/xss/);"; var html = xss(source, { stripIgnoreTag: true, stripIgnoreTagBody: ["script"] }); debug(html); assert.equal(html, "ooxx"); }); it("cssFilter", function() { var whiteList = xss.getDefaultWhiteList(); whiteList.div.push("style"); assert.equal( xss('

hello

', { whiteList: whiteList }), '

hello

' ); assert.equal( xss('

hello

', { whiteList: whiteList, css: false }), '

hello

' ); var css = { whiteList: xss.getDefaultCSSWhiteList() }; css.whiteList["vertical-align"] = true; assert.equal( xss('

hello

', { whiteList: whiteList, css: css }), '

hello

' ); }); it("#onTag - sanitize html parameter space", function() { var source = '">'; var i = 0; var html = xss(source, { onTag: function(_, E, S) { if (S.isWhite && "a" === _) { if (S.isClosing) return ""; return "".concat(E, ''); } } }); debug(html); assert.equal(html, '<script>alert(2)</script>">'); }); it("#onTag - sanitize html parameter tab", function() { var source = '">'; var i = 0; var html = xss(source, { onTag: function(_, E, S) { if (S.isWhite && "a" === _) { if (S.isClosing) return ""; return "".concat(E, ''); } } }); debug(html); assert.equal(html, '<script>alert(2)</script>">'); }); });