2023-06-19 14:42:47 -07:00
// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0
2017-11-19 21:10:04 -08:00
2023-08-10 19:46:45 -07:00
package sanitizer // import "miniflux.app/v2/internal/reader/sanitizer"
2017-11-19 21:10:04 -08:00
2023-07-05 17:11:56 +02:00
import (
"os"
2025-01-12 01:19:31 +00:00
"strings"
2023-07-05 17:11:56 +02:00
"testing"
2025-01-12 01:19:31 +00:00
"golang.org/x/net/html"
2023-08-10 19:46:45 -07:00
"miniflux.app/v2/internal/config"
2023-07-05 17:11:56 +02:00
)
func TestMain ( m * testing . M ) {
config . Opts = config . NewOptions ( )
exitCode := m . Run ( )
os . Exit ( exitCode )
}
2017-11-19 21:10:04 -08:00
2024-03-05 18:00:21 +01:00
func BenchmarkSanitize ( b * testing . B ) {
var testCases = map [ string ] [ ] string {
"miniflux_github.html" : { "https://github.com/miniflux/v2" , "" } ,
"miniflux_wikipedia.html" : { "https://fr.wikipedia.org/wiki/Miniflux" , "" } ,
}
for filename := range testCases {
data , err := os . ReadFile ( "testdata/" + filename )
if err != nil {
b . Fatalf ( ` Unable to read file %q: %v ` , filename , err )
}
testCases [ filename ] [ 1 ] = string ( data )
}
for range b . N {
for _ , v := range testCases {
Sanitize ( v [ 0 ] , v [ 1 ] )
}
}
}
2025-01-12 01:19:31 +00:00
func FuzzSanitizer ( f * testing . F ) {
f . Fuzz ( func ( t * testing . T , orig string ) {
tok := html . NewTokenizer ( strings . NewReader ( orig ) )
i := 0
for tok . Next ( ) != html . ErrorToken {
i ++
}
out := Sanitize ( "" , orig )
tok = html . NewTokenizer ( strings . NewReader ( out ) )
j := 0
for tok . Next ( ) != html . ErrorToken {
j ++
}
if j > i {
t . Errorf ( "Got more html tokens in the sanitized html." )
}
} )
}
2017-11-19 21:10:04 -08:00
func TestValidInput ( t * testing . T ) {
2019-09-10 21:12:38 -07:00
input := ` <p>This is a <strong>text</strong> with an image: <img src="http://example.org/" alt="Test" loading="lazy">.</p> `
2017-11-19 21:10:04 -08:00
output := Sanitize ( "http://example.org/" , input )
if input != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , input , output )
}
}
2022-07-03 17:36:27 -07:00
func TestImgWithWidthAndHeightAttribute ( t * testing . T ) {
input := ` <img src="https://example.org/image.png" width="10" height="20"> `
expected := ` <img src="https://example.org/image.png" width="10" height="20" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2022-07-04 19:59:52 -07:00
func TestImgWithWidthAndHeightAttributeLargerThanMinifluxLayout ( t * testing . T ) {
input := ` <img src="https://example.org/image.png" width="1200" height="675"> `
expected := ` <img src="https://example.org/image.png" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2022-07-03 17:36:27 -07:00
func TestImgWithIncorrectWidthAndHeightAttribute ( t * testing . T ) {
input := ` <img src="https://example.org/image.png" width="10px" height="20px"> `
expected := ` <img src="https://example.org/image.png" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2021-02-06 14:33:28 -08:00
func TestImgWithTextDataURL ( t * testing . T ) {
input := ` <img src="data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==" alt="Example"> `
expected := ` `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2020-10-14 22:19:05 -07:00
func TestImgWithDataURL ( t * testing . T ) {
input := ` <img src="data:image/gif;base64,test" alt="Example"> `
expected := ` <img src="data:image/gif;base64,test" alt="Example" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2025-02-15 17:57:01 -08:00
func TestImgWithSrcsetAttribute ( t * testing . T ) {
2020-10-14 22:19:05 -07:00
input := ` <img srcset="example-320w.jpg, example-480w.jpg 1.5x, example-640w.jpg 2x, example-640w.jpg 640w" src="example-640w.jpg" alt="Example"> `
2020-09-28 23:07:04 -07:00
expected := ` <img srcset="http://example.org/example-320w.jpg, http://example.org/example-480w.jpg 1.5x, http://example.org/example-640w.jpg 2x, http://example.org/example-640w.jpg 640w" src="http://example.org/example-640w.jpg" alt="Example" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2025-02-15 17:57:01 -08:00
func TestImgWithSrcsetAndNoSrcAttribute ( t * testing . T ) {
input := ` <img srcset="example-320w.jpg, example-480w.jpg 1.5x, example-640w.jpg 2x, example-640w.jpg 640w" alt="Example"> `
expected := ` <img srcset="http://example.org/example-320w.jpg, http://example.org/example-480w.jpg 1.5x, http://example.org/example-640w.jpg 2x, http://example.org/example-640w.jpg 640w" alt="Example" loading="lazy"> `
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2021-10-13 21:27:39 -07:00
func TestSourceWithSrcsetAndMedia ( t * testing . T ) {
input := ` <picture><source media="(min-width: 800px)" srcset="elva-800w.jpg"></picture> `
expected := ` <picture><source media="(min-width: 800px)" srcset="http://example.org/elva-800w.jpg"></picture> `
2020-10-14 22:19:05 -07:00
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2021-10-13 21:27:39 -07:00
func TestMediumImgWithSrcset ( t * testing . T ) {
input := ` <img alt="Image for post" class="t u v ef aj" src="https://miro.medium.com/max/5460/1*aJ9JibWDqO81qMfNtqgqrw.jpeg" srcset="https://miro.medium.com/max/552/1*aJ9JibWDqO81qMfNtqgqrw.jpeg 276w, https://miro.medium.com/max/1000/1*aJ9JibWDqO81qMfNtqgqrw.jpeg 500w" sizes="500px" width="2730" height="3407"> `
2022-07-04 19:59:52 -07:00
expected := ` <img alt="Image for post" src="https://miro.medium.com/max/5460/1*aJ9JibWDqO81qMfNtqgqrw.jpeg" srcset="https://miro.medium.com/max/552/1*aJ9JibWDqO81qMfNtqgqrw.jpeg 276w, https://miro.medium.com/max/1000/1*aJ9JibWDqO81qMfNtqgqrw.jpeg 500w" sizes="500px" loading="lazy"> `
2020-09-28 23:07:04 -07:00
output := Sanitize ( "http://example.org/" , input )
if output != expected {
t . Errorf ( ` Wrong output: %s ` , output )
}
}
2017-11-19 21:10:04 -08:00
func TestSelfClosingTags ( t * testing . T ) {
2019-09-10 21:12:38 -07:00
input := ` <p>This <br> is a <strong>text</strong> <br/>with an image: <img src="http://example.org/" alt="Test" loading="lazy"/>.</p> `
2017-11-19 21:10:04 -08:00
output := Sanitize ( "http://example.org/" , input )
if input != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , input , output )
}
}
func TestTable ( t * testing . T ) {
input := ` <table><tr><th>A</th><th colspan="2">B</th></tr><tr><td>C</td><td>D</td><td>E</td></tr></table> `
output := Sanitize ( "http://example.org/" , input )
if input != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , input , output )
}
}
func TestRelativeURL ( t * testing . T ) {
input := ` This <a href="/test.html">link is relative</a> and this image: <img src="../folder/image.png"/> `
2019-09-10 21:12:38 -07:00
expected := ` This <a href="http://example.org/test.html" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">link is relative</a> and this image: <img src="http://example.org/folder/image.png" loading="lazy"/> `
2017-11-19 21:10:04 -08:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestProtocolRelativeURL ( t * testing . T ) {
input := ` This <a href="//static.example.org/index.html">link is relative</a>. `
expected := ` This <a href="https://static.example.org/index.html" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">link is relative</a>. `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestInvalidTag ( t * testing . T ) {
2025-03-06 18:23:27 +01:00
input := ` <p>My invalid <z>tag</z>.</p> `
2017-11-19 21:10:04 -08:00
expected := ` <p>My invalid tag.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestVideoTag ( t * testing . T ) {
input := ` <p>My valid <video src="videofile.webm" autoplay poster="posterimage.jpg">fallback</video>.</p> `
expected := ` <p>My valid <video src="http://example.org/videofile.webm" poster="http://example.org/posterimage.jpg" controls>fallback</video>.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestAudioAndSourceTag ( t * testing . T ) {
input := ` <p>My music <audio controls="controls"><source src="foo.wav" type="audio/wav"></audio>.</p> `
expected := ` <p>My music <audio controls><source src="http://example.org/foo.wav" type="audio/wav"></audio>.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestUnknownTag ( t * testing . T ) {
input := ` <p>My invalid <unknown>tag</unknown>.</p> `
expected := ` <p>My invalid tag.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestInvalidNestedTag ( t * testing . T ) {
2025-03-06 18:23:27 +01:00
input := ` <p>My invalid <z>tag with some <em>valid</em> tag</z>.</p> `
2017-11-19 21:10:04 -08:00
expected := ` <p>My invalid tag with some <em>valid</em> tag.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestInvalidIFrame ( t * testing . T ) {
input := ` <iframe src="http://example.org/"></iframe> `
expected := ` `
2020-09-06 22:41:42 +02:00
output := Sanitize ( "http://example.com/" , input )
2017-11-19 21:10:04 -08:00
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2021-02-13 13:52:18 -08:00
func TestIFrameWithChildElements ( t * testing . T ) {
input := ` <iframe src="https://www.youtube.com/"><p>test</p></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube.com/" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2021-02-13 13:52:18 -08:00
output := Sanitize ( "http://example.com/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2022-09-11 22:32:16 -07:00
func TestAnchorLink ( t * testing . T ) {
input := ` <p>This link is <a href="#some-anchor">an anchor</a></p> `
expected := ` <p>This link is <a href="#some-anchor">an anchor</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2017-11-19 21:10:04 -08:00
func TestInvalidURLScheme ( t * testing . T ) {
input := ` <p>This link is <a src="file:///etc/passwd">not valid</a></p> `
expected := ` <p>This link is not valid</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2020-01-02 11:03:03 -08:00
func TestAPTURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="apt:some-package?channel=test">valid</a></p> `
expected := ` <p>This link is <a href="apt:some-package?channel=test" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestBitcoinURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W">valid</a></p> `
expected := ` <p>This link is <a href="bitcoin:175tWpb8K1S7NmH4Zx6rewF9WQrcZv245W" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestCallToURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="callto:12345679">valid</a></p> `
expected := ` <p>This link is <a href="callto:12345679" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestFeedURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="feed://example.com/rss.xml">valid</a></p> `
expected := ` <p>This link is <a href="feed://example.com/rss.xml" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="feed:https://example.com/rss.xml">valid</a></p> `
expected = ` <p>This link is <a href="feed:https://example.com/rss.xml" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestGeoURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="geo:13.4125,103.8667">valid</a></p> `
expected := ` <p>This link is <a href="geo:13.4125,103.8667" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestItunesURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="itms://itunes.com/apps/my-app-name">valid</a></p> `
expected := ` <p>This link is <a href="itms://itunes.com/apps/my-app-name" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="itms-apps://itunes.com/apps/my-app-name">valid</a></p> `
expected = ` <p>This link is <a href="itms-apps://itunes.com/apps/my-app-name" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestMagnetURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7">valid</a></p> `
expected := ` <p>This link is <a href="magnet:?xt.1=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C&xt.2=urn:sha1:TXGCZQTH26NL6OUQAJJPFALHG2LTGBC7" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestMailtoURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="mailto:jsmith@example.com?subject=A%20Test&body=My%20idea%20is%3A%20%0A">valid</a></p> `
expected := ` <p>This link is <a href="mailto:jsmith@example.com?subject=A%20Test&body=My%20idea%20is%3A%20%0A" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestNewsURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="news://news.server.example/*">valid</a></p> `
expected := ` <p>This link is <a href="news://news.server.example/*" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="news:example.group.this">valid</a></p> `
expected = ` <p>This link is <a href="news:example.group.this" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="nntp://news.server.example/example.group.this">valid</a></p> `
expected = ` <p>This link is <a href="nntp://news.server.example/example.group.this" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestRTMPURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="rtmp://mycompany.com/vod/mp4:mycoolvideo.mov">valid</a></p> `
expected := ` <p>This link is <a href="rtmp://mycompany.com/vod/mp4:mycoolvideo.mov" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestSIPURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="sip:+1-212-555-1212:1234@gateway.com;user=phone">valid</a></p> `
expected := ` <p>This link is <a href="sip:+1-212-555-1212:1234@gateway.com;user=phone" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="sips:alice@atlanta.com?subject=project%20x&priority=urgent">valid</a></p> `
expected = ` <p>This link is <a href="sips:alice@atlanta.com?subject=project%20x&priority=urgent" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestSkypeURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="skype:echo123?call">valid</a></p> `
expected := ` <p>This link is <a href="skype:echo123?call" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestSpotifyURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="spotify:track:2jCnn1QPQ3E8ExtLe6INsx">valid</a></p> `
expected := ` <p>This link is <a href="spotify:track:2jCnn1QPQ3E8ExtLe6INsx" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestSteamURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="steam://settings/account">valid</a></p> `
expected := ` <p>This link is <a href="steam://settings/account" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestSubversionURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="svn://example.org">valid</a></p> `
expected := ` <p>This link is <a href="svn://example.org" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
input = ` <p>This link is <a href="svn+ssh://example.org">valid</a></p> `
expected = ` <p>This link is <a href="svn+ssh://example.org" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output = Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestTelURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="tel:+1-201-555-0123">valid</a></p> `
expected := ` <p>This link is <a href="tel:+1-201-555-0123" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestWebcalURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="webcal://example.com/calendar.ics">valid</a></p> `
expected := ` <p>This link is <a href="webcal://example.com/calendar.ics" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestXMPPURIScheme ( t * testing . T ) {
input := ` <p>This link is <a href="xmpp:user@host?subscribe&type=subscribed">valid</a></p> `
expected := ` <p>This link is <a href="xmpp:user@host?subscribe&type=subscribed" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">valid</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2017-11-19 21:10:04 -08:00
func TestBlacklistedLink ( t * testing . T ) {
input := ` <p>This image is not valid <img src="https://stats.wordpress.com/some-tracker"></p> `
expected := ` <p>This image is not valid </p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2024-07-19 21:03:33 -07:00
func TestLinkWithTrackers ( t * testing . T ) {
input := ` <p>This link has trackers <a href="https://example.com/page?utm_source=newsletter">Test</a></p> `
expected := ` <p>This link has trackers <a href="https://example.com/page" rel="noopener noreferrer" target="_blank" referrerpolicy="no-referrer">Test</a></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestImageSrcWithTrackers ( t * testing . T ) {
input := ` <p>This image has trackers <img src="https://example.org/?id=123&utm_source=newsletter&utm_medium=email&fbclid=abc123"></p> `
expected := ` <p>This image has trackers <img src="https://example.org/?id=123" loading="lazy"></p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2017-11-19 21:10:04 -08:00
func TestPixelTracker ( t * testing . T ) {
input := ` <p><img src="https://tracker1.example.org/" height="1" width="1"> and <img src="https://tracker2.example.org/" height="1" width="1"/></p> `
expected := ` <p> and </p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2017-11-25 18:08:59 -08:00
func TestXmlEntities ( t * testing . T ) {
input := ` <pre>echo "test" > /etc/hosts</pre> `
expected := ` <pre>echo "test" > /etc/hosts</pre> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestEspaceAttributes ( t * testing . T ) {
input := ` <td rowspan="<b>test</b>">test</td> `
expected := ` <td rowspan="<b>test</b>">test</td> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2018-06-12 18:45:09 -07:00
func TestReplaceYoutubeURL ( t * testing . T ) {
input := ` <iframe src="http://www.youtube.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube-nocookie.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-06-12 18:45:09 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestReplaceSecureYoutubeURL ( t * testing . T ) {
input := ` <iframe src="https://www.youtube.com/embed/test123"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube-nocookie.com/embed/test123" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-06-12 18:45:09 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestReplaceSecureYoutubeURLWithParameters ( t * testing . T ) {
input := ` <iframe src="https://www.youtube.com/embed/test123?rel=0&controls=0"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-06-12 18:45:09 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestReplaceYoutubeURLAlreadyReplaced ( t * testing . T ) {
2018-07-02 03:16:27 -04:00
input := ` <iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube-nocookie.com/embed/test123?rel=0&controls=0" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-06-12 18:45:09 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2018-07-04 22:45:44 -07:00
func TestReplaceProtocolRelativeYoutubeURL ( t * testing . T ) {
input := ` <iframe src="//www.youtube.com/embed/Bf2W84jrGqs" width="560" height="314" allowfullscreen="allowfullscreen"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://www.youtube-nocookie.com/embed/Bf2W84jrGqs" width="560" height="314" allowfullscreen="allowfullscreen" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-07-04 22:45:44 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2023-07-05 17:11:56 +02:00
func TestReplaceYoutubeURLWithCustomURL ( t * testing . T ) {
os . Clearenv ( )
os . Setenv ( "YOUTUBE_EMBED_URL_OVERRIDE" , "https://invidious.custom/embed/" )
var err error
parser := config . NewParser ( )
config . Opts , err = parser . ParseEnvironmentVariables ( )
if err != nil {
t . Fatalf ( ` Parsing failure: %v ` , err )
}
input := ` <iframe src="https://www.youtube.com/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent"></iframe> `
2023-12-10 12:54:43 -07:00
expected := ` <iframe src="https://invidious.custom/embed/test123?version=3&rel=1&fs=1&autohide=2&showsearch=0&showinfo=1&iv_load_policy=1&wmode=transparent" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2023-07-05 17:11:56 +02:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2024-12-10 01:14:54 +00:00
func TestReplaceIframeVimedoDNTURL ( t * testing . T ) {
2018-06-12 18:45:09 -07:00
input := ` <iframe src="https://player.vimeo.com/video/123456?title=0&byline=0"></iframe> `
2024-12-10 01:14:54 +00:00
expected := ` <iframe src="https://player.vimeo.com/video/123456?title=0&byline=0&dnt=1" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" loading="lazy"></iframe> `
2018-06-12 18:45:09 -07:00
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2018-06-23 20:50:43 -04:00
func TestReplaceNoScript ( t * testing . T ) {
2019-09-10 21:12:38 -07:00
input := ` <p>Before paragraph.</p><noscript>Inside <code>noscript</code> tag with an image: <img src="http://example.org/" alt="Test" loading="lazy"></noscript><p>After paragraph.</p> `
2018-06-23 20:50:43 -04:00
expected := ` <p>Before paragraph.</p><p>After paragraph.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
func TestReplaceScript ( t * testing . T ) {
input := ` <p>Before paragraph.</p><script type="text/javascript">alert("1");</script><p>After paragraph.</p> `
expected := ` <p>Before paragraph.</p><p>After paragraph.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2018-06-24 13:16:07 -04:00
func TestReplaceStyle ( t * testing . T ) {
input := ` <p>Before paragraph.</p><style>body { background-color: #ff0000; }</style><p>After paragraph.</p> `
expected := ` <p>Before paragraph.</p><p>After paragraph.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2024-06-19 20:38:24 +02:00
func TestHiddenParagraph ( t * testing . T ) {
input := ` <p>Before paragraph.</p><p hidden>This should <em>not</em> appear in the <strong>output</strong></p><p>After paragraph.</p> `
expected := ` <p>Before paragraph.</p><p>After paragraph.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
2025-01-22 20:44:41 -08:00
func TestAttributesAreStripped ( t * testing . T ) {
input := ` <p style="color: red;">Some text.<hr style="color: blue"/>Test.</p> `
expected := ` <p>Some text.<hr/>Test.</p> `
output := Sanitize ( "http://example.org/" , input )
if expected != output {
t . Errorf ( ` Wrong output: "%s" != "%s" ` , expected , output )
}
}
