-
Notifications
You must be signed in to change notification settings - Fork 1
/
tests.js
63 lines (55 loc) · 2.29 KB
/
tests.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
var safeHtml = require('./safe-html');
var expect = require('expect.js');
var _ = require('underscore');
describe('safe-html', function () {
it('should strip tags not in the allowed list', function () {
expect(safeHtml("<crazyTag>Hello <b>World</b></crazyTag>")).to.equal("Hello <b>World</b>");
});
it('should drop contents of script tags (default config)', function () {
expect(safeHtml("<div>Hello <script>alert('boom!')</script>World</div>")).to.equal("<div>Hello World</div>");
});
it('should not allow attributes not explicitely allowed for tags', function () {
expect(safeHtml("<div dostuff='hello'>Hello World</div>")).to.equal("<div>Hello World</div>");
});
it('should HTML encode text', function () {
expect(safeHtml("<i>Hello & \"World\"</i>")).to.equal("<i>Hello & "World"</i>");
});
it('should HTML encode attribute values', function () {
expect(
safeHtml(
'<div my-attribute="my&class">Hello World</div>',
{allowedAttributes: {'my-attribute': {allTags: true}}}),
'<div my-attribute="my&class">Hello World</div>');
});
it('should normalise the syntax for attributes', function () {
expect(
safeHtml(
"<div a=hello b='world' c d=\"\">Hello World</div>",
{allowedAttributes: {a: {allTags: true}, b: {allTags: true}}}),
'<div a="hello" b="world" c d="">Hello World</div>');
});
it('should not allow through other stuff inside tags', function () {
expect(
safeHtml(
"<div < = '>Hello World</div>"),
'<div>Hello World</div>');
});
it('should only allow http, mailto and tel links (default config)', function () {
expect(
safeHtml(
'<a href="javascript:alert("Bam!")">Hello World</a>' +
'<a href="/relative/url">Hello World</a>' +
'<a href="http://example.com">Hello World</a>' +
'<a href="https://example.com">Hello World</a>' +
'<a href="mailto:[email protected]">Hello World</a>' +
'<a href="tel:123">Hello World</a>'))
.to.equal(
'<a>Hello World</a>' +
'<a>Hello World</a>' +
'<a href="http://example.com">Hello World</a>' +
'<a href="https://example.com">Hello World</a>' +
'<a href="mailto:[email protected]">Hello World</a>' +
'<a href="tel:123">Hello World</a>'
);
});
});