mirror of
https://github.com/jhillyerd/inbucket.git
synced 2025-12-21 11:37:07 +00:00
sanitize: naive CSS sanitizer implementation
- CSS sanitizer allows a limited set of properties in a style attribute. - Added a CSS inlined version of the tutsplus responsive test mail. - Linter fixes in inbucket.go
This commit is contained in:
James Hillyerd
@@ -35,6 +35,7 @@ func TestHTMLSimpleFormatting(t *testing.T) {
|
||||
"<em>emphasis</em>",
|
||||
"<strong>strong</strong>",
|
||||
"<div><span>text</span></div>",
|
||||
"<center>text</center>",
|
||||
}
|
||||
for _, ts := range testStrings {
|
||||
t.Run(ts, func(t *testing.T) {
|
||||
@@ -75,3 +76,96 @@ func TestHTMLScriptTags(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSanitizeStyleTags(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name, input, want string
|
||||
}{
|
||||
{
|
||||
"empty",
|
||||
``,
|
||||
``,
|
||||
},
|
||||
{
|
||||
"open",
|
||||
`<div>`,
|
||||
`<div>`,
|
||||
},
|
||||
{
|
||||
"open close",
|
||||
`<div></div>`,
|
||||
`<div></div>`,
|
||||
},
|
||||
{
|
||||
"inner text",
|
||||
`<div>foo bar</div>`,
|
||||
`<div>foo bar</div>`,
|
||||
},
|
||||
{
|
||||
"self close",
|
||||
`<br/>`,
|
||||
`<br/>`,
|
||||
},
|
||||
{
|
||||
"open params",
|
||||
`<div id="me">`,
|
||||
`<div id="me">`,
|
||||
},
|
||||
{
|
||||
"open params squote",
|
||||
`<div id="me" title='best'>`,
|
||||
`<div id="me" title="best">`,
|
||||
},
|
||||
{
|
||||
"open style",
|
||||
`<div id="me" style="color: red;">`,
|
||||
`<div id="me" style="color: red;">`,
|
||||
},
|
||||
{
|
||||
"open style squote",
|
||||
`<div id="me" style='color: red;'>`,
|
||||
`<div id="me" style="color: red;">`,
|
||||
},
|
||||
{
|
||||
"open style mixed case",
|
||||
`<div id="me" StYlE="color: red;">`,
|
||||
`<div id="me" style="color: red;">`,
|
||||
},
|
||||
{
|
||||
"closed style",
|
||||
`<br style="border: 1px solid red;"/>`,
|
||||
`<br style="border: 1px solid red;"/>`,
|
||||
},
|
||||
{
|
||||
"mixed case style",
|
||||
`<br StYlE="border: 1px solid red;"/>`,
|
||||
`<br style="border: 1px solid red;"/>`,
|
||||
},
|
||||
{
|
||||
"mixed case invalid style",
|
||||
`<br StYlE="position: fixed;"/>`,
|
||||
`<br/>`,
|
||||
},
|
||||
{
|
||||
"mixed",
|
||||
`<p id='i' title="cla'zz" style="font-size: 25px;"><b>some text</b></p>`,
|
||||
`<p id="i" title="cla'zz" style="font-size: 25px;"><b>some text</b></p>`,
|
||||
},
|
||||
{
|
||||
"invalid styles",
|
||||
`<div id="me" style='position: absolute;'>`,
|
||||
`<div id="me">`,
|
||||
},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
got, err := sanitize.HTML(tc.input)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if got != tc.want {
|
||||
t.Errorf("input: %s\ngot : %s\nwant: %s", tc.input, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user