Increase test coverage (#314)

Signed-off-by: Sven Strickroth <[email protected]>

Author: csware

src/test/java/org/owasp/html/CssSchemaTest.java

@@ -55,6 +55,9 @@ public static final void testDangerousProperties() {
           // Prefix corner cases.
           "-",
           "-moz-",
+          "-ms-",
+          "-o-",
+          "-webkit-",
         }) {
       assertSame(key, CssSchema.DISALLOWED, CssSchema.DEFAULT.forKey(key));
     }

src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java

@@ -229,6 +229,48 @@ public static final void testStyleFiltering() {
               .allowStandardUrlProtocols()));
   }
 
+  @Test
+  public void testSpecificStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align", "font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
+  @Test
+  public void testUnionStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align")))
+              .allowStyling( // union allowed style properties
+                   CssSchema.withProperties(List.of("font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
   @Test
   public static final void testElementTransforming() {
     assertEquals(
@@ -289,6 +331,25 @@ public static final void testAllowUrlProtocols() {
             .allowUrlProtocols("http")));
   }
 
+  @Test
+  public static final void testDisallowUrlProtocols() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "Header",
+            "Paragraph 1",
+            "Click me out",
+            "<img src=\"canary.png\" alt=\"local-canary\" />",
+            "Fancy with soupy tags.",
+            "Stylish Para 1",
+            "Stylish Para 2",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+            .allowElements("img")
+            .allowAttributes("src", "alt").onElements("img")
+            .allowUrlProtocols("http", "https")
+            .disallowUrlProtocols("http")));
+  }
+
   @Test
   public static final void testPossibleFalloutFromIssue5() {
     assertEquals(
@@ -847,6 +908,52 @@ public static final void testEmptyDefaultLinkRelsSet() {
         pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
   }
 
+  @Test
+  public static final void testRequireAndSkipRels() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href", "target").onElements("a")
+        .allowStandardUrlProtocols()
+        .requireRelsOnLinks("noreferrer")
+        .skipRelsOnLinks("noopener", "noreferrer")
+        .toFactory();
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noreferrer target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noopener target=\"_blank\">eg</a>"));
+  }
+
+  @Test
+  public static final void testSkipAndRequireRels() {
+    PolicyFactory pf = new HtmlPolicyBuilder()
+        .allowElements("a")
+        .allowAttributes("href", "target").onElements("a")
+        .allowStandardUrlProtocols()
+        .skipRelsOnLinks("noopener", "noreferrer")
+        .requireRelsOnLinks("noreferrer")
+        .toFactory();
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noreferrer target=\"_blank\">eg</a>"));
+
+    assertEquals(
+            "<a href=\"http://example.com\" target=\"_blank\" rel=\"noreferrer\">eg</a>",
+            pf.sanitize("<a href=\"http://example.com\" rel=noopener target=\"_blank\">eg</a>"));
+  }
+
   @Test
   public static final void testExplicitRelsSkip() {
     PolicyFactory pf = new HtmlPolicyBuilder()
@@ -913,6 +1020,64 @@ public static final void testDirLi() {
             "<dir compact=\"compact\"><li>something</li></dir>"));
   }
 
+  @Test
+  public void testDisallowTextIn() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div")
+        .allowAttributes("style").onElements("div");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals("<div style=\"display:node\">Some Text</div>",
+        allowPolicy.sanitize("<div style=\"display:node\">Some Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowTextIn("div").toFactory();
+    assertEquals("<div style=\"display:node\"></div>",
+        disallowTextPolicy.sanitize(
+            "<div style=\"display:node\">Some Text</div>"));
+  }
+
+  @Test
+  public void testDisallowAttribute() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div", "p")
+        .allowAttributes("style").onElements("div", "p");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals(
+        "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>",
+            allowPolicy.sanitize(
+                "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowAttributes("style").onElements("p").toFactory();
+    assertEquals("<p>Some</p><div style=\"display:node\">Text</div>",
+        disallowTextPolicy.sanitize(
+            "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+  }
+
+  @Test
+  public void testCreativeCSSStyling() {
+    PolicyFactory policy = new HtmlPolicyBuilder()
+        .allowElements("p")
+        .allowAttributes("style").onElements("p").allowStyling().toFactory();
+
+    assertEquals("<p>Some</p>",
+            policy.sanitize("<p style=\"{display:none\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;};color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;}color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"display:none }; color:red\">Some</p>"));
+
+    assertEquals("<p style=\"color:red\">Some</p>",
+            policy.sanitize("<p style=\"{display:none;}}color:red\">Some</p>"));
+  }
+
   @Test
   public static void testScriptTagWithCommentBlockContainingHtmlCommentEnd() {
     PolicyFactory scriptSanitizer = new HtmlPolicyBuilder()

src/test/java/org/owasp/html/SanitizersTest.java

@@ -157,6 +157,58 @@ public static final void testImages() {
         );
   }
 
+  @Test
+  public static final void testIntegerAttributePolicy() {
+    PolicyFactory s = Sanitizers.IMAGES;
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" height=\"0\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=0 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" height=\"069\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=069 border=0>")
+            );
+
+    assertEquals(
+        "<img src=\"x.png\" alt=\"y\" height=\"64\" border=\"0\" />",
+        s.sanitize(
+            "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=64.43 border=0>")
+        );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=-64 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=\"\" border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=.43 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=something border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=596thin border=0>")
+            );
+  }
+
   @Test
   public static final void testLinks() {
     PolicyFactory s = Sanitizers.LINKS;