require 'spec_helper'
module Gitlab::Markdown
describe SanitizationFilter do
include FilterSpecHelper
describe 'default whitelist' do
it 'sanitizes tags that are not whitelisted' do
act = %q{ and }
exp = 'no inputs and no blinks'
expect(filter(act).to_html).to eq exp
end
it 'sanitizes tag attributes' do
act = %q{Text}
exp = %q{Text}
expect(filter(act).to_html).to eq exp
end
it 'sanitizes javascript in attributes' do
act = %q(Text)
exp = 'Text'
expect(filter(act).to_html).to eq exp
end
it 'allows whitelisted HTML tags from the user' do
exp = act = "
\n- Term
\n- Definition
\n
"
expect(filter(act).to_html).to eq exp
end
it 'sanitizes `class` attribute on any element' do
act = %q{Strong}
expect(filter(act).to_html).to eq %q{Strong}
end
it 'sanitizes `id` attribute on any element' do
act = %q{Emphasis}
expect(filter(act).to_html).to eq %q{Emphasis}
end
end
describe 'custom whitelist' do
it 'customizes the whitelist only once' do
instance = described_class.new('Foo')
3.times { instance.whitelist }
expect(instance.whitelist[:transformers].size).to eq 4
end
it 'allows syntax highlighting' do
exp = act = %q{def
}
expect(filter(act).to_html).to eq exp
end
it 'sanitizes `class` attribute from non-highlight spans' do
act = %q{def}
expect(filter(act).to_html).to eq %q{def}
end
it 'allows `style` attribute on table elements' do
html = <<-HTML.strip_heredoc
HTML
doc = filter(html)
expect(doc.at_css('th')['style']).to eq 'text-align: center'
expect(doc.at_css('td')['style']).to eq 'text-align: right'
end
it 'allows `span` elements' do
exp = act = %q{Hello}
expect(filter(act).to_html).to eq exp
end
it 'removes `rel` attribute from `a` elements' do
doc = filter(%q{Link})
expect(doc.css('a').size).to eq 1
expect(doc.at_css('a')['href']).to eq '#'
expect(doc.at_css('a')['rel']).to be_nil
end
it 'removes script-like `href` attribute from `a` elements' do
html = %q{Hi}
doc = filter(html)
expect(doc.css('a').size).to eq 1
expect(doc.at_css('a')['href']).to be_nil
end
end
context 'when pipeline is :description' do
it 'uses a stricter whitelist' do
doc = filter('Description
', pipeline: :description)
expect(doc.to_html.strip).to eq 'Description'
end
%w(pre code img ol ul li).each do |elem|
it "removes '#{elem}' elements" do
act = "<#{elem}>Description#{elem}>"
expect(filter(act, pipeline: :description).to_html.strip).
to eq 'Description'
end
end
%w(b i strong em a ins del sup sub p).each do |elem|
it "still allows '#{elem}' elements" do
exp = act = "<#{elem}>Description#{elem}>"
expect(filter(act, pipeline: :description).to_html).to eq exp
end
end
end
end
end