diff options
Diffstat (limited to 'spec/frontend/notebook')
4 files changed, 121 insertions, 80 deletions
diff --git a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js new file mode 100644 index 00000000000..a886715ce4b --- /dev/null +++ b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js @@ -0,0 +1,114 @@ +export default [ + [ + 'protocol-based JS injection: simple, no spaces', + { + input: `<a href="javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces before', + { + input: `<a href="javascript :alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces after', + { + input: `<a href="javascript: alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: simple, spaces before and after', + { + input: `<a href="javascript : alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: preceding colon', + { + input: `<a href=":javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: UTF-8 encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long UTF-8 encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long UTF-8 encoding without semicolons', + { + input: + '<a href=javascript:alert('XSS')>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: hex encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: long hex encoding', + { + input: '<a href="javascript:">foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: hex encoding without semicolons', + { + input: + '<a href=javascript:alert('XSS')>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: null char', + { + input: '<a href=java\u0000script:alert("XSS")>foo</a>', + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: invalid URL char', + { input: '<img src=javascript:alert("XSS")>', output: '<img>' }, + ], + [ + 'protocol-based JS injection: Unicode', + { + input: `<a href="\u0001java\u0003script:alert('XSS')">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'protocol-based JS injection: spaces and entities', + { + input: `<a href="  javascript:alert('XSS');">foo</a>`, + output: '<a>foo</a>', + }, + ], + [ + 'img on error', + { + input: '<img src="x" onerror="alert(document.domain)" />', + output: '<img src="x">', + }, + ], + ['style tags are removed', { input: '<style>.foo {}</style> Foo', output: 'Foo' }], +]; diff --git a/spec/frontend/notebook/cells/output/html_sanitize_tests.js b/spec/frontend/notebook/cells/output/html_sanitize_tests.js deleted file mode 100644 index 74c48f04367..00000000000 --- a/spec/frontend/notebook/cells/output/html_sanitize_tests.js +++ /dev/null @@ -1,68 +0,0 @@ -export default { - 'protocol-based JS injection: simple, no spaces': { - input: '<a href="javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces before': { - input: '<a href="javascript :alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces after': { - input: '<a href="javascript: alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: simple, spaces before and after': { - input: '<a href="javascript : alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: preceding colon': { - input: '<a href=":javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: UTF-8 encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long UTF-8 encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long UTF-8 encoding without semicolons': { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: hex encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: long hex encoding': { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: hex encoding without semicolons': { - input: - '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: null char': { - input: '<a href=java\0script:alert("XSS")>foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: invalid URL char': { - input: '<img src=javascript:alert("XSS")>', - output: '<img>', - }, - 'protocol-based JS injection: Unicode': { - input: '<a href="\u0001java\u0003script:alert(\'XSS\')">foo</a>', - output: '<a>foo</a>', - }, - 'protocol-based JS injection: spaces and entities': { - input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>', - }, - 'img on error': { - input: '<img src="x" onerror="alert(document.domain)" />', - output: '<img src="x">', - }, -}; diff --git a/spec/frontend/notebook/cells/output/html_spec.js b/spec/frontend/notebook/cells/output/html_spec.js index 3ee404fb187..48d62d74a50 100644 --- a/spec/frontend/notebook/cells/output/html_spec.js +++ b/spec/frontend/notebook/cells/output/html_spec.js @@ -1,6 +1,6 @@ import Vue from 'vue'; import htmlOutput from '~/notebook/cells/output/html.vue'; -import sanitizeTests from './html_sanitize_tests'; +import sanitizeTests from './html_sanitize_fixtures'; describe('html output cell', () => { function createComponent(rawCode) { @@ -15,17 +15,12 @@ describe('html output cell', () => { }).$mount(); } - describe('sanitizes output', () => { - Object.keys(sanitizeTests).forEach(key => { - it(key, () => { - const test = sanitizeTests[key]; - const vm = createComponent(test.input); - const outputEl = [...vm.$el.querySelectorAll('div')].pop(); + it.each(sanitizeTests)('sanitizes output for: %p', (name, { input, output }) => { + const vm = createComponent(input); + const outputEl = [...vm.$el.querySelectorAll('div')].pop(); - expect(outputEl.innerHTML).toEqual(test.output); + expect(outputEl.innerHTML).toEqual(output); - vm.$destroy(); - }); - }); + vm.$destroy(); }); }); diff --git a/spec/frontend/notebook/cells/output/index_spec.js b/spec/frontend/notebook/cells/output/index_spec.js index 2b1aa5317c5..b9a2dfb8f34 100644 --- a/spec/frontend/notebook/cells/output/index_spec.js +++ b/spec/frontend/notebook/cells/output/index_spec.js @@ -34,7 +34,7 @@ describe('Output component', () => { expect(vm.$el.querySelector('pre')).not.toBeNull(); }); - it('renders promot', () => { + it('renders prompt', () => { expect(vm.$el.querySelector('.prompt span')).not.toBeNull(); }); }); |