-
Notifications
You must be signed in to change notification settings - Fork 2
/
test.js
124 lines (105 loc) · 5.46 KB
/
test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
'use strict';
const assert = require('assert');
const describe = require('@charmander/test/describe')(module);
const clean = require('./splash/clean');
const rewriteHTML = html =>
clean.rewriteHTML(html, 'staff')._html;
const rewriteLink = link =>
clean.rewriteLinkString(link, 'staff');
describe('link rewriter', it => {
it('rewrites href.li links', () => {
assert.equal(rewriteLink('https://href.li/?https://example.com/path/to/page?a=1&b=2'), 'https://example.com/path/to/page?a=1&b=2');
});
});
describe('HTML rewriter', it => {
it('retains safe HTML', () => {
const attempt = html => {
assert.strictEqual(rewriteHTML(html), html);
};
attempt('Plain text.');
attempt('<em>Basic</em> formatting.');
attempt('<a href="https://charmander.me/">Valid links.</a>');
assert.strictEqual(rewriteHTML('<B>Uppercase.</B>'), '<b>Uppercase.</b>');
});
it('cleans all JavaScript', () => {
assert.strictEqual(rewriteHTML('<script>alert(1);</script>'), 'alert(1);');
assert.strictEqual(rewriteHTML('<a href="javascript:alert(1)">link</a>'), '<a>link</a>');
assert.strictEqual(rewriteHTML('<a href="#" onclick="alert(1)">link</a>'), '<a href="#">link</a>');
});
it('always produces valid, consistent HTML', () => {
assert.strictEqual(rewriteHTML('>>> <<< & <blockquote><b>1 <i>2</b> 3</i> 4</u>'), '>>> <<< & <blockquote><b>1 <i>2</i></b> 3 4</blockquote>');
assert.strictEqual(rewriteHTML('<b title=\'title\'></b> <i title=title></i>'), '<b title="title"></b> <i title="title"></i>');
assert.strictEqual(rewriteHTML('<b title=\'title\'></b> <i title=title></i>'), '<b title="title"></b> <i title="title"></i>');
});
it('secures embedded, recognized content when possible', () => {
assert.strictEqual(
rewriteHTML('<img src="http://37.media.tumblr.com/foo.png" alt="Interesting photo">'),
'<img src="https://37.media.tumblr.com/foo.png" alt="Interesting photo">');
assert.strictEqual(
rewriteHTML('<img src="http://media.tumblr.com/foo.png" alt="Interesting photo">'),
'<img src="https://media.tumblr.com/foo.png" alt="Interesting photo">');
assert.strictEqual(
rewriteHTML('<img src="https://41.media.tumblr.com/foo.png" alt="Interesting photo">'),
'<img src="https://41.media.tumblr.com/foo.png" alt="Interesting photo">');
assert.strictEqual(
rewriteHTML('<img src="//41.media.tumblr.com/foo.png" alt="Interesting photo">'),
'<img src="https://41.media.tumblr.com/foo.png" alt="Interesting photo">');
});
it('doesn’t double-encode, and decodes when possible', () => {
const attempt = (entities, expected) => {
assert.strictEqual(
rewriteHTML('<span title="' + entities + '">' + entities + '</span>'),
'<span title="' + expected + '">' + expected + '</span>');
};
attempt('&', '&');
attempt('—’', '—’');
attempt('😊', '😊');
});
it('converts insecure or unrecognized embedded content to links', () => {
assert.strictEqual(rewriteHTML('<img src="http://idioticimages.com/foo.gif">'), '<a href="http://idioticimages.com/foo.gif">[http://idioticimages.com/foo.gif]</a>');
});
it('secures recognized links when possible', () => {
assert.strictEqual(rewriteHTML('<a href="http://imgur.com/">Image hosting</a>'), '<a href="https://imgur.com/">Image hosting</a>');
});
it('rewrites Tumblr blog links to Splash links', () => {
assert.strictEqual(
rewriteHTML('<a href="http://staff.tumblr.com/">External blog link</a>'),
'<a href="/blog/staff/">External blog link</a>');
assert.strictEqual(
rewriteHTML('<a href="https://staff.tumblr.com/">External blog link</a>'),
'<a href="/blog/staff/">External blog link</a>');
assert.strictEqual(
rewriteHTML('<a href="//staff.tumblr.com/">External blog link</a>'),
'<a href="/blog/staff/">External blog link</a>');
assert.strictEqual(
rewriteHTML('<a href="http://staff.tumblr.com/post/69608789310">External post link</a>'),
'<a href="/blog/staff/post/69608789310">External post link</a>');
assert.strictEqual(
rewriteHTML('<a href="http://staff.tumblr.com/post/69608789310/love-the-new-search-but-wish-it-looked-more-like">External post link with slug</a>'),
'<a href="/blog/staff/post/69608789310/love-the-new-search-but-wish-it-looked-more-like">External post link with slug</a>');
assert.strictEqual(
rewriteHTML('<a href="http://www.tumblr.com/">Tumblr link</a>'),
'<a href="https://www.tumblr.com/">Tumblr link</a>');
assert.strictEqual(
rewriteHTML('<a href="http://api.tumblr.com/">Tumblr API link</a>'),
'<a href="https://api.tumblr.com/">Tumblr API link</a>');
assert.strictEqual(
rewriteHTML('<a href="/tagged/example">Internal link</a>'),
'<a href="/blog/staff/tagged/example">Internal link</a>');
});
it('rewrites unrecognized internal links to the original blog', () => {
assert.strictEqual(
rewriteHTML('<a href="/page">Internal link</a>'),
'<a href="https://staff.tumblr.com/page">Internal link</a>');
});
it('rewrites shortened links', () => {
assert.strictEqual(
rewriteHTML('<a href="https://tmblr.co/mzHMrgAhIUiZyL-1AdtaNRA">Shortened link</a>'),
'<a href="/tmblr/mzHMrgAhIUiZyL-1AdtaNRA">Shortened link</a>');
});
it('rewrites t.umblr.com redirects', () => {
assert.strictEqual(
rewriteHTML('<a href="https://t.umblr.com/redirect?z=http%3A%2F%2Fexample.com%2F&t=ZmQxYTU3YWIwMGRhYzAyNjkzMjIzNTA4MDg5ODBkZjhkODQ2NTA3NixEU05ickYxeg%3D%3D&b=t%3AwRDLUrtjPvazjQjQuAr2Yg&p=post-link&m=1">Shortened link</a>'),
'<a href="http://example.com/">Shortened link</a>');
});
});