# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/ require 'test_helper' class HtmlSanitizerTest < ActiveSupport::TestCase setup do @processing_timeout = HtmlSanitizer.const_get(:PROCESSING_TIMEOUT) # XSS processing may run into a timeout on slow CI systems, so turn the timeout off for the test. HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, nil) end teardown do HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, @processing_timeout) end test 'xss' do assert_equal(HtmlSanitizer.strict('123'), '123') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('123123'), '123123') assert_equal(HtmlSanitizer.strict('123123abc'), '123123abc') assert_equal(HtmlSanitizer.strict('123'), '123') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('">'), '">') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('<'), '<') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('

XSS
'), '

XSS

') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('test'), 'test') assert_equal(HtmlSanitizer.strict('test'), 'test') assert_equal(HtmlSanitizer.strict('test', true), 'test') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict(' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-'), ' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('XSS'), 'XSS') assert_equal(HtmlSanitizer.strict('XSS', true), 'XSS') assert_equal(HtmlSanitizer.strict('XSS'), 'XSS') assert_equal(HtmlSanitizer.strict('XSS', true), 'XSS') assert_equal(HtmlSanitizer.strict(''), 'X') assert_equal(HtmlSanitizer.strict('CLICKME'), 'CLICKME') assert_equal(HtmlSanitizer.strict('CLICKME'), 'CLICKME') assert_equal(HtmlSanitizer.strict('CLICKME', true), 'CLICKME') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '

') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict('

'), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('XXX'), 'XXX') assert_equal(HtmlSanitizer.strict('XXX', true), 'XXX') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('', true), '') assert_equal(HtmlSanitizer.strict('

test 123

'), '

test 123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

abc') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('

123

'), '

123

') assert_equal(HtmlSanitizer.strict('test'), 'test') assert_equal(HtmlSanitizer.strict('test'), 'test') assert_equal(HtmlSanitizer.strict('test'), 'test') api_path = Rails.configuration.api_path http_type = Setting.get('http_type') fqdn = Setting.get('fqdn') attachment_url = "#{http_type}://#{fqdn}#{api_path}/ticket_attachment/239/986/1653" attachment_url_good = "#{attachment_url}?disposition=attachment" attachment_url_evil = "#{attachment_url}?disposition=inline" assert_equal(HtmlSanitizer.strict("Evil link"), "Evil link") assert_equal(HtmlSanitizer.strict("Good link"), "Good link") assert_equal(HtmlSanitizer.strict("No disposition"), "No disposition") different_fqdn_url = attachment_url_evil.gsub(fqdn, 'some.other.tld') assert_equal(HtmlSanitizer.strict("Different FQDN"), "Different FQDN") attachment_url_evil_other = "#{attachment_url}?disposition=some_other" assert_equal(HtmlSanitizer.strict("Evil link"), "Evil link") assert_equal(HtmlSanitizer.strict('test'), 'test') end end