Index: openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl,v diff -u -N -r1.1.2.1 -r1.1.2.2 --- openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl 12 Jan 2017 20:00:23 -0000 1.1.2.1 +++ openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl 15 Jan 2017 19:18:54 -0000 1.1.2.2 @@ -6,47 +6,62 @@ } -aa_register_case -cats {api smoke} ad_sanitize_html { +aa_register_case -cats {api smoke} ad_dom_sanitize_html { Test if it HTML sanitization works as expected } { # - Weird HTML, nonexistent and unclosed tags, '<' and '>' chars: # result should be ok, with '<' and '>' converted to entities - lappend test_msgs "Invalid markup with single '<' and '>' chars ok?" + lappend test_msgs "Test case 1: invalid markup with single '<' and '>' chars ok" lappend test_cases {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} - lappend test_result_trivial {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} - lappend test_result_no_js {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} - lappend test_result_no_outer_urls {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} + lappend test_results_trivial {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} + lappend test_results_no_js {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} + lappend test_results_no_outer_urls {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} + lappend test_results_fixing_markup {sadsa dfsdafs 3 > 2 dfsdfasdfsdfsad sasasadsasa < sadASDSA} # - Weird HTML, nonexistent and unclosed tags, MULTIPLE '<' and '>' chars: # some loss in translation, multiple '<' and '>' become single ones - lappend test_msgs "Invalid markup with multiple '<' and '>' chars ok?" + lappend test_msgs "Test case 2: invalid markup with multiple '<' and '>' chars ok" lappend test_cases { sadsa dfsdafs 3 < 2 dfsdfasdfsdfsad <<<<<<<<<< a <<< a << <<< << sasasadsasa < sadASDSA } - lappend test_result_trivial { + lappend test_results_trivial { sadsa dfsdafs 3 < 2 dfsdfasdfsdfsad < a < a < sasasadsasa < sadASDSA } - lappend test_result_no_js { + lappend test_results_no_js { sadsa dfsdafs 3 < 2 dfsdfasdfsdfsad < a < a < sasasadsasa < sadASDSA } - lappend test_result_no_outer_urls { + lappend test_results_no_outer_urls { sadsa dfsdafs 3 < 2 dfsdfasdfsdfsad < a < a < sasasadsasa < sadASDSA } + lappend test_results_fixing_markup { + sadsa dfsdafs 3 < 2 dfsdfasdfsdfsad < a < a < sasasadsasa < sadASDSA + } # - Half opened HTML into other markup: this markup will be completely rejected - lappend test_msgs "Invalid unparseable markup ok?" + lappend test_msgs "Test case 3: invalid unparseable markup ok" lappend test_cases { sadsa dfsdafs 3 sadASDSA } - lappend test_result_trivial {} - lappend test_result_no_js {} - lappend test_result_no_outer_urls {} + lappend test_results_trivial {} + lappend test_results_no_js {} + lappend test_results_no_outer_urls {} + lappend test_results_fixing_markup {} + # - Formally invalid HTML: this markup will be rejected when the + # fix option is not enabled and parsed otherwise. Internal + # blank space into tags will be lost. + lappend test_msgs "Test case 4: formally invalid markup ok" + lappend test_cases {
fooo } + lappend test_results_trivial {} + lappend test_results_no_js {} + lappend test_results_no_outer_urls {} + lappend test_results_fixing_markup "
fooo\n
" + # - Plain text: this should stay as it is - lappend test_msgs "Plain text ok?" + lappend test_msgs "Test case 5: plain text ok" set test_case { Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna @@ -58,49 +73,133 @@ deserunt mollit anim id est laborum. } lappend test_cases $test_case - lappend test_result_trivial $test_case - lappend test_result_no_js $test_case - lappend test_result_no_outer_urls $test_case + lappend test_results_trivial $test_case + lappend test_results_no_js $test_case + lappend test_results_no_outer_urls $test_case + lappend test_results_fixing_markup $test_case - foreach msg $test_msgs test_case $test_cases result_trivial $test_result_trivial result_no_js $test_result_no_js result_no_outer_urls $test_result_no_outer_urls { - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols *] - set result [string trim $result] ; set result_trivial [string trim $result_trivial] - aa_true $msg [expr {$result eq $result_trivial}] - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -no_js] - set result [string trim $result] ; set result_no_js [string trim $result_no_js] - aa_true $msg [expr {$result eq $result_no_js}] - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -no_outer_urls] - set result [string trim $result] ; set result_no_outer_urls [string trim $result_no_outer_urls] - aa_true $msg [expr {$result eq $result_no_outer_urls}] - } + # Try test cases allowing all kind of markup + foreach \ + msg $test_msgs \ + test_case $test_cases \ + test_result $test_results_trivial { + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols *] + set result [string trim $result] + set test_result [string trim $test_result] + aa_true "$msg trivial?" [expr {$result eq $test_result}] + } + # Try test cases not allowing js + foreach \ + msg $test_msgs \ + test_case $test_cases \ + test_result $test_results_no_js { + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -no_js] + set result [string trim $result] + set test_result [string trim $test_result] + aa_true "$msg no js?" [expr {$result eq $test_result}] + } + + # Try test cases not allowing outer urls + foreach \ + msg $test_msgs \ + test_case $test_cases \ + test_result $test_results_no_outer_urls { + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -no_outer_urls] + set result [string trim $result] + set test_result [string trim $test_result] + aa_true "$msg no outer urls?" [expr {$result eq $test_result}] + } + + # Try test cases fixing markup + foreach \ + msg $test_msgs \ + test_case $test_cases \ + test_result $test_results_fixing_markup { + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -fix] + set result [string trim $result] + set test_result [string trim $test_result] + aa_true "$msg fixing markup?" [expr {$result eq $test_result}] + } + array set r [util::http::get -url [util::configured_location]] set test_case $r(page) - set msg "In our index page is removing tags ok" + set msg "Test case 6: in our index page is removing tags ok" set unallowed_tags {div style script} - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_tags $unallowed_tags] - set valid_p [ad_sanitize_html -html $result -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_tags $unallowed_tags -validate] + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_tags $unallowed_tags] + set valid_p [ad_dom_sanitize_html -html $result \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_tags $unallowed_tags \ + -validate] aa_true "$msg with validate?" $valid_p aa_false $msg? [regexp {<(div|style|script)\s*[^>]*>} $result] set msg "In our index page is removing attributes ok" set unallowed_attributes {id style} - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_attributes $unallowed_attributes] - set valid_p [ad_sanitize_html -html $result -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_attributes $unallowed_attributes -validate] + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_attributes $unallowed_attributes] + set valid_p [ad_dom_sanitize_html -html $result \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_attributes $unallowed_attributes \ + -validate] aa_true "$msg with validate?" $valid_p aa_false $msg? [regexp {<([a-z]\w*)\s+[^>]*(id|style)=".*"[^>]*>} $result] - set msg "In our index page is removing protocols ok?" + set msg "In our index page is removing protocols ok" set unallowed_protocols {http javascript https} - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_protocols $unallowed_protocols] - set valid_p [ad_sanitize_html -html $result -allowed_tags * -allowed_attributes * -allowed_protocols * -unallowed_protocols $unallowed_protocols -validate] + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_protocols $unallowed_protocols] + set valid_p [ad_dom_sanitize_html -html $result \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -unallowed_protocols $unallowed_protocols \ + -validate] aa_true "$msg with validate?" $valid_p aa_false $msg? [regexp {<([a-z]\w*)\s+[^>]*(href|src|content|action)="(http|javascript):.*"[^>]*>} $result] - set msg "In our index page is removing outer links ok?" - set result [ad_sanitize_html -html $test_case -allowed_tags * -allowed_attributes * -allowed_protocols * -no_outer_urls] - set valid_p [ad_sanitize_html -html $result -allowed_tags * -allowed_attributes * -allowed_protocols * -no_outer_urls -validate] + set msg "In our index page is removing outer links ok" + set result [ad_dom_sanitize_html -html $test_case \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -no_outer_urls] + set valid_p [ad_dom_sanitize_html -html $result \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -no_outer_urls \ + -validate] aa_true "$msg with validate?" $valid_p aa_false $msg? [regexp {<([a-z]\w*)\s+[^>]*(href|src|content|action)="(http|https|//):.*"[^>]*>} $result]