more tests for data uri mediatypes

and update CHANGELOG with this feature and a thank-you. Related to #101, #120.
flavorjones · Sep 24, 2017 · dfdee76 · dfdee76
1 parent 7917ee9
commit dfdee76
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 Features:
 
 * Added :noopener HTML scrubber (Thanks, @tastycode!)
+* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
 
 
 Bugfixes:

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -142,6 +142,10 @@ def test_should_allow_multi_word_data_attributes
       input = %(<a href="data:#{data_uri_type}">foo</a>)
       output = "<a href='data:#{data_uri_type}'>foo</a>"
       check_sanitization(input, output, output, output)
+
+      input = %(<a href="data:#{data_uri_type};base64,R0lGODlhAQABA">foo</a>)
+      output = "<a href='data:#{data_uri_type};base64,R0lGODlhAQABA'>foo</a>"
+      check_sanitization(input, output, output, output)
     end
   end
 
@@ -153,6 +157,20 @@ def test_should_allow_multi_word_data_attributes
     end
   end
 
+  def test_should_disallow_other_uri_mediatypes
+    input = %(<a href="data:foo">foo</a>)
+    output = "<a>foo</a>"
+    check_sanitization(input, output, output, output)
+
+    input = %(<a href="data:image/xxx">foo</a>)
+    output = "<a>foo</a>"
+    check_sanitization(input, output, output, output)
+
+    input = %(<a href="data:image/xxx;base64,R0lGODlhAQABA">foo</a>)
+    output = "<a>foo</a>"
+    check_sanitization(input, output, output, output)
+  end
+
 
   HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
     next unless HTML5::WhiteList::ALLOWED_ELEMENTS.include?(tag_name)