agnes/mourningdove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
mourningdove/t/cleaner-comment.t

196 lines
7.4 KiB
Perl
Raw Permalink Normal View History

first!
2026-05-24 01:03:05 +00:00
# t/clean-comment.t
#
# Test LJ::CleanHTML::clean_comment.
#
# Authors:
# Afuna <coder.dw@afunamatata.com>
# Jen Griffin <kareila@livejournal.com>
#
# Copyright (c) 2013 by Dreamwidth Studios, LLC.
#
# This program is free software; you may redistribute it and/or modify it under
# the same terms as Perl itself. For a copy of the license, please reference
# 'perldoc perlartistic' or 'perldoc perlgpl'.
#
use strict;
use warnings;
use Test::More tests => 28;
BEGIN { require "$ENV{LJHOME}/t/lib/ljtestlib.pl"; }
use LJ::CleanHTML;
my $orig_comment;
my $clean_comment;
my $clean = sub {
my $opts = shift;
LJ::CleanHTML::clean_comment( \$orig_comment, $opts );
};
# remove various positioning and display rules
$orig_comment = qq{<span style="display: none; display:none; display : none; display: inline">};
$clean_comment = qq{<span style="\\s*display: inline\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "Removed display:none ($orig_comment)" );
$orig_comment = qq{<span style="margin-top: 10px;">};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "Removed margin ($orig_comment)" );
$orig_comment = qq{<span style="height: 150px;">};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "Removed height" );
# handle unreasonably large padding values
$orig_comment =
qq{<span style="padding-top: 9999999px; padding-left: 9999999px; padding-top: 9999999px; padding-bottom: 9999999px"></span>};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "All padding removed. (Multiple rules, all too large)" );
$orig_comment = qq{<span style="padding: 999px 999px 999px 999px"></span>};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/,
"All padding removed. (Combined into one rule, all too large)" );
$orig_comment = qq{<span style="padding-left: 999px; padding-right: 200px;"></span>};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/,
"All padding removed. (Multiple rules, mixed too large and small enough)" );
$orig_comment = qq{<span style="padding: 999px 200px;"></span>};
$clean_comment = qq{<span style="\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/,
"All padding removed. (One dimension in a combined rule, mixed too large and small enough)" );
$orig_comment =
qq{<span style="padding-top: 200px; padding-left: 200px; padding-right: 150px; padding-bottom: 150px;"></span>};
$clean_comment =
qq{<span style="\\s*padding-top: 200px;\\s*padding-left: 200px;\\s*padding-right: 150px;\\s*padding-bottom: 150px;\\s*"><\\/span>};
$clean->( { remove_positioning => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "Padding not removed; of reasonable size." );
$orig_comment = qq{<font color="red">test};
$clean_comment = qq{<font color="red">test</font>};
$clean->();
ok( $orig_comment eq $clean_comment, "Font tag closed." );
$orig_comment = qq{<font color="red"></div>test};
$clean_comment = qq{<font color="red">test</font>};
$clean->();
ok( $orig_comment eq $clean_comment, "Spurious closing div stripped." );
$orig_comment = qq{<font color="red"><div>test</font>};
$clean_comment = qq{<font color="red"><div>test</div></font>};
$clean->();
ok( $orig_comment eq $clean_comment, "Closing div inserted." );
$orig_comment = qq{<div><font color="red"></div>test</font>};
$clean_comment = qq{<div><font color="red"></font></div>test};
$clean->();
ok( $orig_comment eq $clean_comment, "Bad open/closes fixed." );
$orig_comment = qq{<h1><h2><h3><h1><h2><h3>};
$clean_comment = qq{<h1><h2><h3><h1><h2><h3></h3></h2></h1></h3></h2></h1>};
$clean->();
ok( $orig_comment eq $clean_comment, "Aggressively close things." );
$orig_comment = qq{<h1><h2><h3><h1></h2><h2></h3><h3>};
$clean_comment = qq{<h1><h2><h3><h1></h1></h3></h2><h2><h3></h3></h2></h1>};
$clean->();
ok( $orig_comment eq $clean_comment, "Aggressive close with eaten extra close." );
note("Remove absolute sizes when logged out");
{
$orig_comment = qq{<span style="font-size: larger">foo</span>};
$clean_comment = qq{<span style="font-size: larger">foo</span>};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Retain relative font sizes" );
$orig_comment = qq{<span style="font-size: 10px ">foo</span>};
$clean_comment = qq{<span style="">foo</span>};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Strip absolute font sizes" );
$orig_comment = qq{<span style="font-size:0.2em; font-weight: bold">foo</span>};
$clean_comment = qq{<span style=" font-weight: bold">foo</span>};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Strip absolute font sizes" );
}
note("Don't remove absolute sizes when logged in");
{
$orig_comment = qq{<span style="font-size: larger">foo</span>};
$clean_comment = $orig_comment;
$clean->();
is( $orig_comment, $clean_comment, "Retain relative font sizes" );
$orig_comment = qq{<span style="font-size: 10px ">foo</span>};
$clean_comment = $orig_comment;
$clean->();
is( $orig_comment, $clean_comment, "Retain absolute font sizes" );
$orig_comment = qq{<span style="font-size:0.2em; font-weight: bold">foo</span>};
$clean_comment = $orig_comment;
$clean->();
is( $orig_comment, $clean_comment, "Retain absolute font sizes" );
}
# remove background urls from logged out users
$orig_comment = qq{<span style="background: url('http://www.example.com/example.gif');"></span>};
$clean_comment =
qq{<span style="\\s*background: url\\(&\\#39;http://www.example.com/example.gif&\\#39;\\);\\s*"><\\/span>};
$clean->();
ok( $orig_comment =~ /^$clean_comment$/, "Background URL not cleaned: logged-in user" );
$orig_comment = qq{<span style="background: url('http://www.example.com/example.gif');"></span>};
$clean_comment = qq{<span style="background:\\s*;\\s*"><\\/span>};
$clean->( { anon_comment => 1 } );
ok( $orig_comment =~ /^$clean_comment$/, "Background URL removed: anonymous comment" );
$orig_comment = qq{pre<a href="asdf"> post};
$clean_comment = qq{pre<b> post</b> (asdf)};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Full href bold escape" );
$orig_comment = qq{pre<a href=""> post};
$clean_comment = qq{pre<b> post</b> ()};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Empty href bold escape" );
# another table exploit involving a tags.
$orig_comment = q{<a href=mailto:blah@blah.com><table>};
$clean_comment = q{<b></b> (mailto:blah@blah.com)};
$clean->( { anon_comment => 1 } );
is( $orig_comment, $clean_comment, "Anonymous comment bold escape" );
note("various allowed/disallowed tags");
{
$orig_comment = qq{<em>abc</em>};
$clean_comment = qq{<em>abc</em>};
$clean->();
is( $orig_comment, $clean_comment, "em tag allowed" );
$orig_comment = qq{<marquee>abc</marquee>};
$clean_comment = qq{abc};
$clean->();
is( $orig_comment, $clean_comment, "marquee tag not allowed" );
$orig_comment = qq{<blink>abc</blink>};
$clean_comment = qq{abc};
$clean->();
is( $orig_comment, $clean_comment, "blink tag not allowed" );
}
1;
Reference in a new issue Copy permalink