github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Upgraded and refactored Sanitizing. Much less crap should get through now!

Browse Source 
Conflicts:
	app/assets/javascripts/discourse/components/syntax_highlighting.js
This commit is contained in:
Robin Ward
2013-10-11 16:24:27 -04:00
parent e0e79cae73
commit 5281b7f80c
16 changed files with 175 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
test/javascripts/components/bbcode_test.js
View File

@ -27,13 +27,6 @@ test('lists', function() {
format("[ol][li]option one[/li][/ol]", "<ol><li>option one</li></ol>", "creates an ol");
});
test('color', function() {
format("[color=#00f]blue[/color]", "<span style=\"color: #00f\">blue</span>", "supports [color=] with a short hex value");
format("[color=#ffff00]yellow[/color]", "<span style=\"color: #ffff00\">yellow</span>", "supports [color=] with a long hex value");
format("[color=red]red[/color]", "<span style=\"color: red\">red</span>", "supports [color=] with an html color");
format("[color=javascript:alert('wat')]noop[/color]", "<span>noop</span>", "it performs a noop on invalid input");
});
test('tags with arguments', function() {
format("[size=35]BIG [b]whoop[/b][/size]", "<span class=\"bbcode-size-35\">BIG <span class=\"bbcode-b\">whoop</span></span>", "supports [size=]");
format("[url=http://bettercallsaul.com]better call![/url]", "<a href=\"http://bettercallsaul.com\">better call!</a>", "supports [url] with a title");
@ -42,7 +35,6 @@ test('tags with arguments', function() {
format("[b]first[/b] [b]second[/b]", "<span class=\"bbcode-b\">first</span> <span class=\"bbcode-b\">second</span>", "can bold two things on the same line");
});
test("quotes", function() {
var post = Discourse.Post.create({

20
test/javascripts/components/markdown_test.js
View File

@ -278,10 +278,12 @@ test("Code Blocks", function() {
});
test("SanitizeHTML", function() {
test("sanitize", function() {
var sanitize = Discourse.Markdown.sanitize;
equal(sanitizeHtml("<div><script>alert('hi');</script></div>"), "<div></div>");
equal(sanitizeHtml("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p class=\"funky\">hello</p></div>");
equal(sanitize("<i class=\"icon-bug icon-spin\">bug</i>"), "<i>bug</i>");
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
@ -305,3 +307,15 @@ test("URLs in BBCode tags", function() {
"named links are properly parsed");
});
test("urlAllowed", function() {
var allowed = function(url, msg) {
equal(Discourse.Markdown.urlAllowed(url), url, msg);
};
allowed("/foo/bar.html", "allows relative urls");
allowed("http://eviltrout.com/evil/trout", "allows full urls");
allowed("https://eviltrout.com/evil/trout", "allows https urls");
allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
});