diff options
Diffstat (limited to 'spec/frontend/lib/dompurify_spec.js')
| -rw-r--r-- | spec/frontend/lib/dompurify_spec.js | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js index a01f86678e9..fa8dbb12a08 100644 --- a/spec/frontend/lib/dompurify_spec.js +++ b/spec/frontend/lib/dompurify_spec.js @@ -30,6 +30,9 @@ const unsafeUrls = [ `https://evil.url/${absoluteGon.sprite_file_icons}`, ]; +const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method']; +const acceptedDataAttrs = ['data-random', 'data-custom']; + describe('~/lib/dompurify', () => { let originalGon; @@ -95,4 +98,17 @@ describe('~/lib/dompurify', () => { expect(sanitize(htmlXlink)).toBe(expectedSanitized); }); }); + + describe('handles data attributes correctly', () => { + it.each(forbiddenDataAttrs)('removes %s attributes', (attr) => { + const htmlHref = `<a ${attr}="true">hello</a>`; + expect(sanitize(htmlHref)).toBe('<a>hello</a>'); + }); + + it.each(acceptedDataAttrs)('does not remove %s attributes', (attr) => { + const attrWithValue = `${attr}="true"`; + const htmlHref = `<a ${attrWithValue}>hello</a>`; + expect(sanitize(htmlHref)).toBe(`<a ${attrWithValue}>hello</a>`); + }); + }); }); |