'), '')
assert_equal(HtmlSanitizer.strict(''), ' ')
assert_equal(HtmlSanitizer.strict(' test'), ' test')
assert_equal(HtmlSanitizer.strict(' test'), ' test')
assert_equal(HtmlSanitizer.strict(' test', true), ' test')
assert_equal(HtmlSanitizer.strict(' '), ' ')
assert_equal(HtmlSanitizer.strict(' '), '')
assert_equal(HtmlSanitizer.strict(' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-'), ' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(' XSS'), ' XSS')
assert_equal(HtmlSanitizer.strict(' XSS', true), ' XSS')
assert_equal(HtmlSanitizer.strict(' XSS'), ' XSS')
assert_equal(HtmlSanitizer.strict(' XSS', true), ' XSS')
assert_equal(HtmlSanitizer.strict(' '), 'X')
assert_equal(HtmlSanitizer.strict(' CLICKME'), 'CLICKME')
assert_equal(HtmlSanitizer.strict(' CLICKME'), 'CLICKME')
assert_equal(HtmlSanitizer.strict(' CLICKME', true), 'CLICKME')
assert_equal(HtmlSanitizer.strict(' '), ' ')
assert_equal(HtmlSanitizer.strict(' '), ' ')
assert_equal(HtmlSanitizer.strict(' '), '')
assert_equal(HtmlSanitizer.strict(' '), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict('XXX'), 'XXX')
assert_equal(HtmlSanitizer.strict('XXX', true), 'XXX')
assert_equal(HtmlSanitizer.strict(''), 'alert(1)')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict('', true), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict(''), '')
assert_equal(HtmlSanitizer.strict('test'), 'test')
assert_equal(HtmlSanitizer.strict('test'), 'test')
assert_equal(HtmlSanitizer.strict('test'), 'test')
api_path = Rails.configuration.api_path
http_type = Setting.get('http_type')
fqdn = Setting.get('fqdn')
attachment_url = "#{http_type}://#{fqdn}#{api_path}/ticket_attachment/239/986/1653"
attachment_url_good = "#{attachment_url}?disposition=attachment"
attachment_url_evil = "#{attachment_url}?disposition=inline"
assert_equal(HtmlSanitizer.strict("Evil link"), "Evil link")
assert_equal(HtmlSanitizer.strict("Good link"), "Good link")
assert_equal(HtmlSanitizer.strict("No disposition"), "No disposition")
different_fqdn_url = attachment_url_evil.gsub(fqdn, 'some.other.tld')
assert_equal(HtmlSanitizer.strict("Different FQDN"), "Different FQDN")
attachment_url_evil_other = "#{attachment_url}?disposition=some_other"
assert_equal(HtmlSanitizer.strict("Evil link"), "Evil link")
end
end
|