/
naughty_business.rb
122 lines (103 loc) · 2.88 KB
/
naughty_business.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# frozen_string_literal: true
describe Phlex::HTML do
extend ViewHelper
with "naughty javascript links" do
view do
def template
a(href: "javascript:alert(1)") { "a" }
a(href: "JAVASCRIPT:alert(1)") { "b" }
a(href: :"JAVASCRIPT:alert(1)") { "c" }
a(HREF: "javascript:alert(1)") { "d" }
end
end
it "removes the href attributes" do
expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>"
end
end
with "naughty uppercase event tag" do
view do
def template
button ONCLICK: "ALERT(1)" do
"naughty button"
end
end
end
it "raises" do
expect { output }.to raise_exception ArgumentError,
message: be == "Unsafe attribute name detected: ONCLICK."
end
end
with "naughty text" do
view do
def view_template
plain %("><script type="text/javascript" src="bad_script.js"></script>)
end
end
it "escapes the content" do
expect(output).to be == ""><script type="text/javascript" src="bad_script.js"></script>"
end
end
with "naughty tag attribute values" do
view do
def view_template
article id: %("><script type="text/javascript" src="bad_script.js"></script>)
end
end
it "escapes the attributes" do
expect(output).to be == %(<article id=""><script type="text/javascript" src="bad_script.js"></script>"></article>)
end
end
with "naughty javascript link protocol in href" do
view do
def view_template
a href: "javascript:javascript:alert(1)" do
"naughty link"
end
end
end
it "strips the javascript protocol" do
expect(output).to be == %{<a>naughty link</a>}
end
end
with "naughty javascript link protocol in href" do
view do
def view_template
a "href" => "javascript:javascript:alert(1)" do
"naughty link"
end
end
end
it "strips the javascript protocol" do
expect(output).to be == %{<a>naughty link</a>}
end
end
Phlex::HTML::EVENT_ATTRIBUTES.each_key do |event_attribute|
with "with naughty #{event_attribute} attribute" do
naughty_attributes = { event_attribute => "alert(1);" }
view do
define_method :view_template do
send(:div, **naughty_attributes)
end
end
it "raises an ArgumentError" do
expect { output }.to raise_exception ArgumentError,
message: be == "Unsafe attribute name detected: #{event_attribute}."
end
end
end
%w[< > & " '].each do |naughty_character|
with "naughty attribute name containing #{naughty_character}" do
naughty_attribute = "abc#{naughty_character}123"
naughty_attributes = { naughty_attribute => "alert(1);" }
view do
define_method :view_template do
send(:div, **naughty_attributes)
end
end
it "raises an ArgumentError" do
expect { output }.to raise_exception ArgumentError,
message: be == "Unsafe attribute name detected: #{naughty_attribute}."
end
end
end
end