UNPKG

substance

Version:

Substance is a JavaScript library for web-based content editing. It provides building blocks for realizing custom text editors and web-based publishing system. It is developed to power our online editing platform [Substance](http://substance.io).

github.com/substance/substance

substance/substance

68 lines (59 loc) 2.36 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import { test } from 'substance-test' import { sanitizeHTML } from 'substance' test('sanitizeHTML: strip <script> elements', t => { const html = '<div><script>alert()</script>foo</div>' const expected = '<div>foo</div>' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: strip HTML event hooks', t => { const html = '<div onclick="alert()">foo</div>' const expected = '<div>foo</div>' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) // mentioned on the HTML4 security cheatsheet (see https://html5sec.org/) test('sanitizeHTML: strip form and formaction', t => { const html = '<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>' const expected = '<form></form><button>X</button>' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: strip mathml', t => { const html = '<math href="javascript:alert(1)">CLICKME</math>' const expected = '' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: strip href with javascript', t => { const html = '<a href="javascript:alert()"></a>' const expected = '<a></a>' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: strip comments', t => { const html = '<!--<img src="--><img src=x onerror=alert(1)//">' const expected = '<img src="x">' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: strip CDATA', t => { const html = '<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>' const expected = '<svg><img src="xx:x"/></svg>' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() }) test('sanitizeHTML: plain text obfuscation', t => { const html = '<style><img src="</style><img src=x onerror=alert(1)//"></img>' const expected = '<style><img src="</style><img src="x">' const actual = sanitizeHTML(html) t.equal(actual, expected, 'html should be sanitized correctly') t.end() })