@Test public void sanitizationBypassOnlySelf() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
private String rewrite(Gadget gadget, String content, Set<String> tags, Set<String> attributes) throws Exception { GadgetRewriter rewriter = createRewriter(tags, attributes); MutableContent mc = new MutableContent(parser, content); rewriter.rewrite(gadget, mc); Matcher matcher = BODY_REGEX.matcher(mc.getContent()); if (matcher.matches()) { return matcher.group(1); } return mc.getContent(); }
@Test public void sanitizationBypassOnlySelf() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
private String rewrite(Gadget gadget, String content, Set<String> tags, Set<String> attributes) throws Exception { GadgetRewriter rewriter = createRewriter(tags, attributes); MutableContent mc = new MutableContent(parser, content); rewriter.rewrite(gadget, mc); Matcher matcher = BODY_REGEX.matcher(mc.getContent()); if (matcher.matches()) { return matcher.group(1); } return mc.getContent(); }
@Test public void enforceStyleSanitized() throws Exception { String markup = "<p><style type=\"text/css\">A { font : bold; behavior : bad }</style>text <b>bold text</b></p>" + "<b>Bold text</b><i>Italic text<b>Bold text</b></i>"; String sanitized = "<html><head></head><body><p><style>A {\n font: bold\n}</style>text " + "<b>bold text</b></p><b>Bold text</b></body></html>"; assertEquals(sanitized, rewrite(gadget, markup, set("p", "b", "style"), set())); }
@Test public void sanitizationBypassOnlySelf() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
private String rewrite(Gadget gadget, String content, Set<String> tags, Set<String> attributes) throws Exception { GadgetRewriter rewriter = createRewriter(tags, attributes); MutableContent mc = new MutableContent(parser, content); rewriter.rewrite(gadget, mc); Matcher matcher = BODY_REGEX.matcher(mc.getContent()); if (matcher.matches()) { return matcher.group(1); } return mc.getContent(); }
@Test public void sanitizationBypassPreservedAcrossClone() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); // Now, clone the paragraph tag and replace the paragraph tag Element cloned = (Element) paragraphTag.cloneNode(true); paragraphTag.getParentNode().replaceChild(cloned, paragraphTag); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
@Test public void enforceNonStyleLinkStripped() throws Exception { String markup = "<link rel=\"script\" " + "href=\"www.exmaple.org/evil.js\"/>"; String rewritten = rewrite(gadget, markup, set("link"), set("rel", "href", "type")); assertEquals("<html><head></head><body></body></html>", rewritten); }
@Test public void sanitizationBypassPreservedAcrossClone() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); // Now, clone the paragraph tag and replace the paragraph tag Element cloned = (Element) paragraphTag.cloneNode(true); paragraphTag.getParentNode().replaceChild(cloned, paragraphTag); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
@Test public void enforceNonStyleLinkStrippedNoCacheAndDebug() throws Exception { String markup = "<link rel=\"script\" " + "href=\"www.exmaple.org/evil.js\"/>"; String rewritten = rewrite(gadgetNoCacheAndDebug, markup, set("link"), set("rel", "href", "type")); assertEquals("<html><head></head><body></body></html>", rewritten); }
@Test public void sanitizationBypassPreservedAcrossClone() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, false); // Now, clone the paragraph tag and replace the paragraph tag Element cloned = (Element) paragraphTag.cloneNode(true); paragraphTag.getParentNode().replaceChild(cloned, paragraphTag); rewriter.rewrite(gadget, mc); // The document should be unchanged String content = mc.getContent(); Matcher matcher = BODY_REGEX.matcher(content); matcher.matches(); assertEquals("<p foo=\"bar\"></p>", matcher.group(1)); }
@Test public void sanitizationBypassAllowed() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); // Force the content to get re-serialized MutableContent.notifyEdit(document); String fullMarkup = mc.getContent(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, true); rewriter.rewrite(gadget, mc); // The document should be unchanged assertEquals(fullMarkup, mc.getContent()); }
@Test public void enforceTagWhiteList() throws Exception { String markup = "<p><style type=\"text/css\">A { font : bold }</style>text <b>bold text</b></p>" + "<b>Bold text</b><i>Italic text<b>Bold text</b></i>"; String sanitized = "<p>text <b>bold text</b></p><b>Bold text</b>"; assertEquals(sanitized, rewrite(gadget, markup, set("p", "b"), set())); }
@Test public void sanitizationBypassAllowed() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); // Force the content to get re-serialized MutableContent.notifyEdit(document); String fullMarkup = mc.getContent(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, true); rewriter.rewrite(gadget, mc); // The document should be unchanged assertEquals(fullMarkup, mc.getContent()); }
@Test public void enforceCssImportBadLinkStripped() throws Exception { String markup = "<style type=\"text/css\">@import url('javascript:doevil()'); A { font : bold }</style>"; String sanitized = "<html><head><style>A {\n" + " font: bold\n" + "}</style></head><body></body></html>"; assertEquals(sanitized, rewrite(gadget, markup, set("style"), set())); }
@Test public void sanitizationBypassAllowed() throws Exception { String markup = "<p foo=\"bar\"><b>Parag</b><!--raph--></p>"; // Create a rewriter that would strip everything GadgetRewriter rewriter = createRewriter(set(), set()); MutableContent mc = new MutableContent(parser, markup); Document document = mc.getDocument(); // Force the content to get re-serialized MutableContent.notifyEdit(document); String fullMarkup = mc.getContent(); Element paragraphTag = (Element) document.getElementsByTagName("p").item(0); // Mark the paragraph tag element as trusted SanitizingGadgetRewriter.bypassSanitization(paragraphTag, true); rewriter.rewrite(gadget, mc); // The document should be unchanged assertEquals(fullMarkup, mc.getContent()); }