gogs/internal/app/api_test.go

// Copyright 2020 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package app

import (
	"testing"

	"github.com/stretchr/testify/assert"
)

func Test_ipynbSanitizer(t *testing.T) {
	p := ipynbSanitizer()

	tests := []struct {
		name  string
		input string
		want  string
	}{
		{
			name: "allow 'class' and 'data-prompt-number' attributes",
			input: `
<div class="nb-notebook">
    <div class="nb-worksheet">
        <div class="nb-cell nb-markdown-cell">Hello world</div>
        <div class="nb-cell nb-code-cell">
            <div class="nb-input" data-prompt-number="4">
            </div>
        </div>
    </div>
</div>
`,
			want: `
<div class="nb-notebook">
    <div class="nb-worksheet">
        <div class="nb-cell nb-markdown-cell">Hello world</div>
        <div class="nb-cell nb-code-cell">
            <div class="nb-input" data-prompt-number="4">
            </div>
        </div>
    </div>
</div>
`,
		},
		{
			name: "allow base64 encoded images",
			input: `
<div class="nb-output" data-prompt-number="4">
    <img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
</div>
`,
			want: `
<div class="nb-output" data-prompt-number="4">
    <img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
</div>
`,
		},
		{
			name: "prevent XSS",
			input: `
<div class="nb-output" data-prompt-number="10">
<div class="nb-html-output">
<style>
.output {
align-items: center;
background: #00ff00;
}
</style>
<script>
function test() {
alert("test");
}

$(document).ready(test);
</script>
</div>
</div>
`,
			want: `
<div class="nb-output" data-prompt-number="10">
<div class="nb-html-output">


</div>
</div>
`,
		},
	}
	for _, test := range tests {
		t.Run(test.name, func(t *testing.T) {
			assert.Equal(t, test.want, p.Sanitize(test.input))
		})
	}
}