Skip to content

Commit

Permalink
test: ensure tests pass when nokogiri uses system libxml2
Browse files Browse the repository at this point in the history
Specifically the patch that affects this behavior is

  nokogiri/patches/libxml2/0002-Update-entities-to-remove-handling-of-ssi.patch

which was introduced to avoid server-side-include vulnerabilities, see

  sparklemotion/nokogiri@4852e43
  • Loading branch information
flavorjones committed Jun 9, 2022
1 parent 9c421f0 commit 9778c47
Showing 1 changed file with 28 additions and 4 deletions.
32 changes: 28 additions & 4 deletions test/sanitizer_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -505,7 +505,13 @@ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer

text = safe_list_sanitize(html)

assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
acceptable_results = [
# nokogiri w/vendored+patched libxml2
%{<a href="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
# nokogiri w/ system libxml2
%{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
]
assert_includes(acceptable_results, text)
end

def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
Expand All @@ -515,7 +521,13 @@ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer

text = safe_list_sanitize(html)

assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
acceptable_results = [
# nokogiri w/vendored+patched libxml2
%{<a src="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
# nokogiri w/system libxml2
%{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
]
assert_includes(acceptable_results, text)
end

def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
Expand All @@ -525,7 +537,13 @@ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer

text = safe_list_sanitize(html)

assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
acceptable_results = [
# nokogiri w/vendored+patched libxml2
%{<a name="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
# nokogiri w/system libxml2
%{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
]
assert_includes(acceptable_results, text)
end

def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
Expand All @@ -535,7 +553,13 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer

text = safe_list_sanitize(html, attributes: ['action'])

assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
acceptable_results = [
# nokogiri w/vendored+patched libxml2
%{<a action="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
# nokogiri w/system libxml2
%{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
]
assert_includes(acceptable_results, text)
end

def test_exclude_node_type_processing_instructions
Expand Down

0 comments on commit 9778c47

Please sign in to comment.