Will Anderson
151 lines
4.7 KiB
JSON
151 lines
4.7 KiB
JSON
{
|
|
"allowlist": "{\"p\":[],\"br\":[],\"strong\":[],\"em\":[],\"u\":[],\"s\":[],\"code\":[],\"pre\":[],\"ul\":[],\"ol\":[],\"li\":[],\"h1\":[],\"h2\":[],\"h3\":[],\"h4\":[],\"blockquote\":[],\"a\":[\"href\",\"title\"]}",
|
|
"cases": [
|
|
{
|
|
"name": "01-pass-through-list",
|
|
"input": "<ol><li><strong>x</strong></li></ol>",
|
|
"expected": "<ol><li><strong>x</strong></li></ol>"
|
|
},
|
|
{
|
|
"name": "02-paragraphs-with-bold",
|
|
"input": "<p>hello <strong>world</strong></p><p>second</p>",
|
|
"expected": "<p>hello <strong>world</strong></p><p>second</p>"
|
|
},
|
|
{
|
|
"name": "03-pre-code-block",
|
|
"input": "<pre><code>npm install</code></pre>",
|
|
"expected": "<pre><code>npm install</code></pre>"
|
|
},
|
|
{
|
|
"name": "04-allowed-https-link",
|
|
"input": "<a href=\"https://example.com\">click</a>",
|
|
"expected": "<a href=\"https://example.com\">click</a>"
|
|
},
|
|
{
|
|
"name": "05-allowed-anchor-link",
|
|
"input": "<a href=\"#section\">jump</a>",
|
|
"expected": "<a href=\"#section\">jump</a>"
|
|
},
|
|
{
|
|
"name": "06-javascript-scheme-blocked",
|
|
"input": "<a href=\"javascript:alert(1)\">click</a>",
|
|
"expected": "<a>click</a>"
|
|
},
|
|
{
|
|
"name": "07-about-scheme-blocked",
|
|
"input": "<a href=\"about:blank#x\">click</a>",
|
|
"expected": "<a>click</a>"
|
|
},
|
|
{
|
|
"name": "08-data-uri-blocked",
|
|
"input": "<a href=\"data:text/html,<script>alert(1)</script>\">x</a>",
|
|
"expected": "<a>x</a>"
|
|
},
|
|
{
|
|
"name": "09-script-content-dropped",
|
|
"input": "before<script>alert(1)</script>after",
|
|
"expected": "beforeafter"
|
|
},
|
|
{
|
|
"name": "10-iframe-content-dropped",
|
|
"input": "<iframe src=\"evil\">junk</iframe>safe",
|
|
"expected": "safe"
|
|
},
|
|
{
|
|
"name": "11-form-content-dropped",
|
|
"input": "<form action=\"/steal\">x</form>safe",
|
|
"expected": "safe"
|
|
},
|
|
{
|
|
"name": "12-img-with-onerror-dropped",
|
|
"input": "<img src=x onerror=alert(2)>",
|
|
"expected": ""
|
|
},
|
|
{
|
|
"name": "13-comment-injection-bypass-blocked",
|
|
"input": "<form action=\"-->junk\">x</form>safe",
|
|
"expected": "safe"
|
|
},
|
|
{
|
|
"name": "14-mixed-legit-and-attack",
|
|
"input": "<p>hello</p><script>alert(1)</script><p>world</p>",
|
|
"expected": "<p>hello</p><p>world</p>"
|
|
},
|
|
{
|
|
"name": "15-pre-encoded-entities-preserved",
|
|
"input": "<script>alert(1)</script>",
|
|
"expected": "<script>alert(1)</script>"
|
|
},
|
|
{
|
|
"name": "16-unicode-in-href-preserved",
|
|
"input": "<a href=\"https://example.com/?q=日本語\">x</a>",
|
|
"expected": "<a href=\"https://example.com/?q=日本語\">x</a>"
|
|
},
|
|
{
|
|
"name": "17-unclosed-tag-passes-through",
|
|
"input": "<p>unclosed",
|
|
"expected": "<p>unclosed"
|
|
},
|
|
{
|
|
"name": "18-onclick-attribute-stripped-tag-survives",
|
|
"input": "<p onclick=\"x\">hi</p>",
|
|
"expected": "<p>hi</p>"
|
|
},
|
|
{
|
|
"name": "19-tab-bypass-in-scheme-blocked",
|
|
"input": "<a href=\"java\tscript:alert(1)\">x</a>",
|
|
"expected": "<a>x</a>"
|
|
},
|
|
{
|
|
"name": "20-uppercase-tag-and-attr-normalised",
|
|
"input": "<A HREF=\"https://example.com\">x</A>",
|
|
"expected": "<a href=\"https://example.com\">x</a>"
|
|
},
|
|
{
|
|
"name": "21-style-content-dropped",
|
|
"input": "<style>body{display:none}</style>visible",
|
|
"expected": "visible"
|
|
},
|
|
{
|
|
"name": "22-object-content-dropped",
|
|
"input": "<object data=\"x.swf\">flash</object>safe",
|
|
"expected": "safe"
|
|
},
|
|
{
|
|
"name": "23-svg-onload-dropped",
|
|
"input": "<svg onload=\"alert(1)\"><circle r=\"5\"/></svg>safe",
|
|
"expected": "safe"
|
|
},
|
|
{
|
|
"name": "24-blockquote-passthrough",
|
|
"input": "<blockquote>quoted text</blockquote>",
|
|
"expected": "<blockquote>quoted text</blockquote>"
|
|
},
|
|
{
|
|
"name": "25-headings-passthrough",
|
|
"input": "<h1>title</h1><h2>section</h2>",
|
|
"expected": "<h1>title</h1><h2>section</h2>"
|
|
},
|
|
{
|
|
"name": "26-attribute-value-with-gt-byte",
|
|
"input": "<a href=\"https://example.com/?q=1>2\" title=\"a > b\">x</a>",
|
|
"expected": "<a href=\"https://example.com/?q=1>2\" title=\"a > b\">x</a>"
|
|
},
|
|
{
|
|
"name": "27-nested-script-after-text",
|
|
"input": "lead<p>para</p><script>alert(1)</script>tail",
|
|
"expected": "lead<p>para</p>tail"
|
|
},
|
|
{
|
|
"name": "28-empty-input",
|
|
"input": "",
|
|
"expected": ""
|
|
},
|
|
{
|
|
"name": "29-plain-text",
|
|
"input": "just text, no tags",
|
|
"expected": "just text, no tags"
|
|
}
|
|
]
|
|
}
|