api_test.go 1.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. // Copyright 2020 The Gogs Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package app
  5. import (
  6. "testing"
  7. "github.com/stretchr/testify/assert"
  8. )
  9. func Test_ipynbSanitizer(t *testing.T) {
  10. p := ipynbSanitizer()
  11. tests := []struct {
  12. name string
  13. input string
  14. want string
  15. }{
  16. {
  17. name: "allow 'class' and 'data-prompt-number' attributes",
  18. input: `
  19. <div class="nb-notebook">
  20. <div class="nb-worksheet">
  21. <div class="nb-cell nb-markdown-cell">Hello world</div>
  22. <div class="nb-cell nb-code-cell">
  23. <div class="nb-input" data-prompt-number="4">
  24. </div>
  25. </div>
  26. </div>
  27. </div>
  28. `,
  29. want: `
  30. <div class="nb-notebook">
  31. <div class="nb-worksheet">
  32. <div class="nb-cell nb-markdown-cell">Hello world</div>
  33. <div class="nb-cell nb-code-cell">
  34. <div class="nb-input" data-prompt-number="4">
  35. </div>
  36. </div>
  37. </div>
  38. </div>
  39. `,
  40. },
  41. {
  42. name: "allow base64 encoded images",
  43. input: `
  44. <div class="nb-output" data-prompt-number="4">
  45. <img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
  46. </div>
  47. `,
  48. want: `
  49. <div class="nb-output" data-prompt-number="4">
  50. <img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
  51. </div>
  52. `,
  53. },
  54. {
  55. name: "prevent XSS",
  56. input: `
  57. <div class="nb-output" data-prompt-number="10">
  58. <div class="nb-html-output">
  59. <style>
  60. .output {
  61. align-items: center;
  62. background: #00ff00;
  63. }
  64. </style>
  65. <script>
  66. function test() {
  67. alert("test");
  68. }
  69. $(document).ready(test);
  70. </script>
  71. </div>
  72. </div>
  73. `,
  74. want: `
  75. <div class="nb-output" data-prompt-number="10">
  76. <div class="nb-html-output">
  77. </div>
  78. </div>
  79. `,
  80. },
  81. }
  82. for _, test := range tests {
  83. t.Run(test.name, func(t *testing.T) {
  84. assert.Equal(t, test.want, p.Sanitize(test.input))
  85. })
  86. }
  87. }