From becbad07e734cfbc01cda98ef6d1c87a205df6d2 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 8 Apr 2021 11:39:11 -0400 Subject: [PATCH 1/3] test: handle variations in loofah whitespace which changed in Loofah v2.9.0 Related to #111 --- test/sanitizer_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 6d44008..2a45d98 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -271,7 +271,8 @@ def test_should_allow_custom_tags_with_custom_attributes def test_scrub_style_if_style_attribute_option_is_passed input = '

' - assert_equal '

', safe_list_sanitize(input, attributes: %w(style)) + actual = safe_list_sanitize(input, attributes: %w(style)) + assert_includes(['

', '

'], actual) end def test_should_raise_argument_error_if_tags_is_not_enumerable From c190b3247afe43329e696120a578cee8ac9c3fd4 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 8 Apr 2021 11:39:43 -0400 Subject: [PATCH 2/3] test: fix encoding in the unicode XSS test See https://github.com/flavorjones/loofah/pull/205 for a short history of this test string. Related to #111 --- test/sanitizer_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 2a45d98..d81ab2a 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -414,7 +414,7 @@ def test_should_sanitize_img_dynsrc_lowsrc end def test_should_sanitize_div_background_image_unicode_encoded - raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029) + raw = %(background-image:\u0075\u0072\u006C\u0028'\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029) assert_equal '', sanitize_css(raw) end From f59ecbcfc8300ce040efead7147af03283453b73 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 8 Apr 2021 11:53:34 -0400 Subject: [PATCH 3/3] test: fix typographical errors in the XSS encoding test See https://github.com/flavorjones/loofah/pull/205 for a short history of this test string. Related to #111 --- test/sanitizer_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index d81ab2a..c8a02c6 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -414,7 +414,7 @@ def test_should_sanitize_img_dynsrc_lowsrc end def test_should_sanitize_div_background_image_unicode_encoded - raw = %(background-image:\u0075\u0072\u006C\u0028'\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029) + raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029) assert_equal '', sanitize_css(raw) end