UNPKG

@gitlab/ui

Version:

GitLab UI Components

gitlab.com/gitlab-org/gitlab-ui

95 lines (74 loc) 2.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import { shallowMount } from '@vue/test-utils'; import { forbiddenDataAttrs } from './constants'; import { SafeHtmlDirective as safeHtml } from './safe_html'; describe('safe html directive', () => { let wrapper; const createComponent = ({ template, html, config } = {}) => { const defaultTemplate = `<div v-safe-html="rawHtml"></div>`; const defaultHtml = 'hello <script>alert(1)</script>world'; const component = { directives: { safeHtml, }, data() { return { rawHtml: html || defaultHtml, config: config || {}, }; }, template: template || defaultTemplate, }; wrapper = shallowMount(component); }; describe('default', () => { it('should remove the script tag', () => { createComponent(); expect(wrapper.html()).toEqual('<div>hello world</div>'); }); it('should remove javascript hrefs', () => { createComponent({ html: '<a href="javascript:prompt(1)">click here</a>' }); expect(wrapper.html()).toEqual('<div><a>click here</a></div>'); }); it('should remove any existing children', () => { createComponent({ template: `<div v-safe-html="rawHtml">foo <i>bar</i></div>`, }); expect(wrapper.html()).toEqual('<div>hello world</div>'); }); describe('handles data attributes correctly', () => { const acceptedDataAttrs = ['data-safe', 'data-random']; it.each(forbiddenDataAttrs)('removes %s attributes', (attr) => { createComponent({ html: `<a ${attr}="true"></a>`, }); expect(wrapper.html()).toEqual('<div><a></a></div>'); }); it.each(acceptedDataAttrs)('does not remove %s attributes', (attr) => { const attrWithValue = `${attr}="true"`; createComponent({ html: `<a ${attrWithValue}="true"></a>`, }); expect(wrapper.html()).toEqual(`<div><a ${attrWithValue}></a></div>`); }); }); }); describe('advance config', () => { const template = '<div v-safe-html:[config]="rawHtml"></div>'; it('should only allow <b> tags', () => { createComponent({ template, html: '<a href="javascript:prompt(1)"><b>click here</b></a>', config: { ALLOWED_TAGS: ['b'] }, }); expect(wrapper.html()).toEqual('<div><b>click here</b></div>'); }); it('should strip all html tags', () => { createComponent({ template, html: '<a href="javascript:prompt(1)"><u>click here</u></a>', config: { ALLOWED_TAGS: [] }, }); expect(wrapper.html()).toEqual('<div>click here</div>'); }); }); });