From 506704a5fed4399281eceea2951e484e4d143c40 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:09:34 +0200
Subject: [PATCH] add test cases for sanitization hardening

---
 test/specs/run-spec.js                                   | 3 +++
 test/specs/security/sanitizer_bypass.html                | 6 ++++++
 test/specs/security/sanitizer_bypass.md                  | 9 +++++++++
 test/specs/security/sanitizer_bypass_remove_generic.html | 2 ++
 test/specs/security/sanitizer_bypass_remove_generic.md   | 6 ++++++
 test/specs/security/sanitizer_bypass_remove_script.html  | 1 +
 test/specs/security/sanitizer_bypass_remove_script.md    | 5 +++++
 test/specs/security/sanitizer_bypass_remove_tag.html     | 1 +
 test/specs/security/sanitizer_bypass_remove_tag.md       | 5 +++++
 9 files changed, 38 insertions(+)
 create mode 100644 test/specs/security/sanitizer_bypass.html
 create mode 100644 test/specs/security/sanitizer_bypass.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_generic.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_generic.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_script.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_script.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_tag.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_tag.md

diff --git a/test/specs/run-spec.js b/test/specs/run-spec.js
index 2702c76f68..b6d0c17e27 100644
--- a/test/specs/run-spec.js
+++ b/test/specs/run-spec.js
@@ -16,6 +16,8 @@ function runSpecs(title, dir, showCompletionTable, options) {
           spec.options = Object.assign({}, options, (spec.options || {}));
           const example = (spec.example ? ' example ' + spec.example : '');
           const passFail = (spec.shouldFail ? 'fail' : 'pass');
+          if (spec.options.sanitizerRemoveHtml)
+            spec.options.sanitizer = () => '';
           (spec.only ? fit : it)('should ' + passFail + example, () => {
             const before = process.hrtime();
             if (spec.shouldFail) {
@@ -40,3 +42,4 @@ runSpecs('CommonMark', './commonmark', true, { headerIds: false });
 runSpecs('Original', './original', false, { gfm: false });
 runSpecs('New', './new');
 runSpecs('ReDOS', './redos');
+runSpecs('Security', './security', false, { silent: true /* no deprecation warnings */ });
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass.html b/test/specs/security/sanitizer_bypass.html
new file mode 100644
index 0000000000..fb35223cf0
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass.html
@@ -0,0 +1,6 @@
+<p>AAA&lt;script&gt; &lt;img &lt;script&gt; src=x onerror=alert(1) /&gt;BBB</p>
+
+<p>AAA&lt;sometag&gt; &lt;img &lt;sometag&gt; src=x onerror=alert(1)BBB</p>
+
+<p>&lt;a&gt;a2&lt;a2t&gt;a2&lt;/a&gt; b &lt;c&gt;c&lt;/c&gt; d</p>
+<h1 id="text"><img src="URL" alt="text"></h1>
diff --git a/test/specs/security/sanitizer_bypass.md b/test/specs/security/sanitizer_bypass.md
new file mode 100644
index 0000000000..99091d0198
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass.md
@@ -0,0 +1,9 @@
+---
+sanitize: true
+---
+AAA<script> <img <script> src=x onerror=alert(1) />BBB
+
+AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB
+
+<a>a2<a2t>a2</a> b <c>c</c> d
+# ![text](URL)
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass_remove_generic.html b/test/specs/security/sanitizer_bypass_remove_generic.html
new file mode 100644
index 0000000000..272825867d
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_generic.html
@@ -0,0 +1,2 @@
+<p>a2a2 b c d</p>
+<h1 id="text"><img src="URL" alt="text"></h1>
diff --git a/test/specs/security/sanitizer_bypass_remove_generic.md b/test/specs/security/sanitizer_bypass_remove_generic.md
new file mode 100644
index 0000000000..41aca6277c
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_generic.md
@@ -0,0 +1,6 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+<a>a2<a2t>a2</a> b <c>c</c> d
+# ![text](URL)
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass_remove_script.html b/test/specs/security/sanitizer_bypass_remove_script.html
new file mode 100644
index 0000000000..85472db28e
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_script.html
@@ -0,0 +1 @@
+<p>AAA</p>
diff --git a/test/specs/security/sanitizer_bypass_remove_script.md b/test/specs/security/sanitizer_bypass_remove_script.md
new file mode 100644
index 0000000000..9334070021
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_script.md
@@ -0,0 +1,5 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+AAA<script> <img <script> src=x onerror=alert(1) />BBB
diff --git a/test/specs/security/sanitizer_bypass_remove_tag.html b/test/specs/security/sanitizer_bypass_remove_tag.html
new file mode 100644
index 0000000000..68d5c23d44
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_tag.html
@@ -0,0 +1 @@
+<p>AAA &lt;img  src=x onerror=alert(1)BBB</p>
diff --git a/test/specs/security/sanitizer_bypass_remove_tag.md b/test/specs/security/sanitizer_bypass_remove_tag.md
new file mode 100644
index 0000000000..fd387b1248
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_tag.md
@@ -0,0 +1,5 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB