From 7bc4d2e0bc65151b6f60dccad50c9c8f50252bd6 Mon Sep 17 00:00:00 2001 From: Johann-S Date: Mon, 11 Feb 2019 16:59:39 +0200 Subject: Add sanitize template option for tooltip/popover plugins. --- js/tests/unit/tooltip.js | 160 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) (limited to 'js/tests/unit/tooltip.js') diff --git a/js/tests/unit/tooltip.js b/js/tests/unit/tooltip.js index 30829d24d5..e66450fb85 100644 --- a/js/tests/unit/tooltip.js +++ b/js/tests/unit/tooltip.js @@ -1106,4 +1106,164 @@ $(function () { assert.strictEqual(offset.offset, myOffset) assert.ok(typeof offset.fn === 'undefined') }) + + QUnit.test('should disable sanitizer', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + sanitize: false + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.sanitize, false) + }) + + QUnit.test('should sanitize template by removing disallowed tags', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '
', + ' ', + ' Some content', + '
' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('script'), -1) + }) + + QUnit.test('should sanitize template by removing disallowed attributes', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '
', + ' Some content', + '
' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('onError'), -1) + }) + + QUnit.test('should sanitize template by removing tags with XSS', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '
', + ' Click me', + ' Some content', + '
' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('script'), -1) + }) + + QUnit.test('should allow custom sanitization rules', function (assert) { + assert.expect(2) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + 'Click me', + 'Some content' + ].join(''), + whiteList: { + span: null + } + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.strictEqual(tooltip.config.template.indexOf('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + 'Some content' + ].join(''), + sanitizeFn: function (input) { + return input + } + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.ok(tooltip.config.template.indexOf('span') !== -1) + }) + + QUnit.test('should allow passing aria attributes', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + 'Some content' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.ok(tooltip.config.template.indexOf('aria-pressed') !== -1) + }) + + QUnit.test('should not sanitize element content', function (assert) { + assert.expect(1) + + var $element = $('
').appendTo('#qunit-fixture') + var content = '' + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + 'Some content' + ].join(''), + html: true, + sanitize: false + }) + + var tooltip = $trigger.data('bs.tooltip') + tooltip.setElementContent($element, content) + + assert.strictEqual($element[0].innerHTML, content) + }) + + QUnit.test('should not take into account sanitize in data attributes', function (assert) { + assert.expect(1) + + var $trigger = $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + 'Some content' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.strictEqual(tooltip.config.sanitize, true) + }) }) -- cgit v1.2.3