103 lines
3.4 KiB
HTML
103 lines
3.4 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
</head>
|
|
<body>
|
|
<script>
|
|
test(t => {
|
|
// Create an empty config.
|
|
let s = new Sanitizer({});
|
|
// Remove everything unsafe.
|
|
s.removeUnsafe();
|
|
|
|
let config = s.get();
|
|
assert_equals(config.elements.length, 0, "no elements");
|
|
assert_equals(config.replaceWithChildrenElements.length, 0, "no replaceWithChildrenElements");
|
|
assert_equals(config.attributes.length, 0, "no attributes");
|
|
|
|
// https://wicg.github.io/sanitizer-api/#built-in-safe-baseline-configuration
|
|
const SAFE_BASELINE = {
|
|
"removeElements": [
|
|
{
|
|
"namespace": "http://www.w3.org/1999/xhtml",
|
|
"name": "script"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/1999/xhtml",
|
|
"name": "frame"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/1999/xhtml",
|
|
"name": "iframe"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/1999/xhtml",
|
|
"name": "object"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/1999/xhtml",
|
|
"name": "embed"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/2000/svg",
|
|
"name": "script"
|
|
},
|
|
{
|
|
"namespace": "http://www.w3.org/2000/svg",
|
|
"name": "use"
|
|
}
|
|
],
|
|
"removeAttributes": []
|
|
};
|
|
|
|
assert_equals(config.removeElements.length, SAFE_BASELINE.removeElements.length);
|
|
for (let i = 0; i < SAFE_BASELINE.removeElements.length; i++) {
|
|
let element = config.removeElements[i];
|
|
assert_own_property(element, "name");
|
|
assert_equals(element.name, SAFE_BASELINE.removeElements[i].name);
|
|
assert_own_property(element, "namespace");
|
|
assert_equals(element.namespace, SAFE_BASELINE.removeElements[i].namespace);
|
|
}
|
|
|
|
// This list depends on the implementation defined "event handler content attributes"
|
|
assert_true(config.removeAttributes.length > 0, "Has removeAttributes");
|
|
for (let attribute of config.removeAttributes) {
|
|
assert_own_property(attribute, "name");
|
|
assert_true(attribute.name.startsWith("on"), `attribute '${attribute.name}' starts with "on"`);
|
|
assert_own_property(attribute, "namespace"); // XXX Maybe optional?
|
|
assert_equals(attribute.namespace, null, "attribute is in null namespace");
|
|
}
|
|
}, "removeUnsafe removes the right elements and attributes");
|
|
|
|
test(t => {
|
|
let s = new Sanitizer("default");
|
|
let before = s.get();
|
|
|
|
let s2 = new Sanitizer("default");
|
|
s2.removeUnsafe();
|
|
let after = s2.get();
|
|
|
|
// None of the default config elements are unsafe.
|
|
assert_true(before.elements.length > 0);
|
|
assert_equals(before.elements.length, after.elements.length, "elements don't change");
|
|
|
|
// Not in default config.
|
|
assert_equals(before.replaceWithChildrenElements.length, 0);
|
|
assert_equals(after.replaceWithChildrenElements.length, 0);
|
|
|
|
assert_equals(before.removeElements.length, 0);
|
|
assert_equals(after.removeElements.length, 7, "removeElements are added");
|
|
|
|
// None of the default config attributes are unsafe.
|
|
assert_true(before.attributes.length > 0);
|
|
assert_equals(before.attributes.length, after.attributes.length, "attributes don't change");
|
|
|
|
// Imeplementation defined "event handler content attributes"
|
|
assert_equals(before.removeAttributes.length, 0);
|
|
assert_true(after.removeAttributes.length > 0, "removeAttributes are added");
|
|
}, "removeUnsafe with default config")
|
|
</script>
|
|
</body>
|
|
</html>
|