`, expected: `

`, }, { in: `

`, expected: `

`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `

`, expected: ``, }, { in: `

`, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: "", expected: ``, }, { in: ``, expected: ``, }, { in: `PT SRC="http://ha.ckers.org/xss.js">`, expected: `PT SRC="http://ha.ckers.org/xss.js">`, }, { in: `PT SRC="http://ha.ckers.org/xss.js">`, expected: `PT SRC="http://ha.ckers.org/xss.js">`, }, { in: ``, expected: ``, }, { in: "", expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ` +ADw-SCRIPT+AD4-alert('XSS')`, expected: ` +ADw-SCRIPT+AD4-alert('XSS')`, }, { in: ``, expected: ``, }, { in: `alert("XSS")'); ?>`, expected: `alert("XSS")'); ?>`, }, { in: ``, expected: ``, }, { in: ` "> `, expected: "\n\n\n">\n", }, { in: ` `, expected: ` `, }, { in: ` `, expected: ` `, }, { in: `

`, expected: ``, }, { in: `

`, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `

`, expected: `

`, }, { in: `

`, expected: `

`, }, { in: `

`, expected: `

`, }, { in: `

`, expected: `

`, }, { in: `

`, expected: `

`, }, { in: ``, expected: `

`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `
`, expected: `
`, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `

XSS
`, expected: `
- XSS
  `, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: `\";alert('XSS');//`, expected: `\";alert('XSS');//`, }, { in: ``, expected: ``, }, { in: `<<SCRIPT>alert("XSS");//<</SCRIPT>`, expected: `<`, }, { in: "<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", expected: ``, }, { in: `<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, expected: ``, }, { in: `<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>`, expected: ``, }, { in: `<IMG SRC="  javascript:alert('XSS');">`, expected: ``, }, { in: `<IMG SRC="jav
  ascript:alert('XSS');">`, expected: ``, }, { in: `<IMG SRC="jav	ascript:alert('XSS');">`, expected: ``, }, { in: `<IMG SRC="jav ascript:alert('XSS');">`, expected: ``, }, { in: `<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>`, expected: ``, }, { in: `<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097& #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>`, expected: ``, }, { in: `<IMG SRC=javascript:alert( 'XSS')>`, expected: ``, }, { in: `<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>`, expected: `<img src="/"></img>`, }, { in: `<IMG onmouseover="alert('xxs')">`, expected: ``, }, { in: `<IMG SRC= onmouseover="alert('xxs')">`, expected: `<img src="onmouseover=%22alert%28%27xxs%27%29%22">`, }, { in: `<IMG SRC=# onmouseover="alert('xxs')">`, expected: ``, }, { in: `<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>`, expected: ``, }, { in: `<IMG """><SCRIPT>alert("XSS")</SCRIPT>">`, expected: `">`, }, { in: `<IMG SRC=javascript:alert("XSS")>`, expected: ``, }, { in: `<IMG SRC=JaVaScRiPt:alert('XSS')>`, expected: ``, }, { in: `<IMG SRC=javascript:alert('XSS')>`, expected: ``, }, { in: `<IMG SRC="javascript:alert('XSS');">`, expected: ``, }, { in: `<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>`, expected: ``, }, { in: `'';!--"<XSS>=&{()}`, expected: `'';!--"=&{()}`, }, { in: `';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>`, expected: `';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>`, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestAllowNoAttrs(t *testing.T) { input := "<tag>test</tag>" outputFail := "test" outputOk := input p := NewPolicy() p.AllowElements("tag") if output := p.Sanitize(input); output != outputFail { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, output, outputFail, ) } p.AllowNoAttrs().OnElements("tag") if output := p.Sanitize(input); output != outputOk { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, output, outputOk, ) } } func TestSkipElementsContent(t *testing.T) { input := "<tag>test</tag>" outputFail := "test" outputOk := "" p := NewPolicy() if output := p.Sanitize(input); output != outputFail { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, output, outputFail, ) } p.SkipElementsContent("tag") if output := p.Sanitize(input); output != outputOk { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, output, outputOk, ) } } func TestTagSkipClosingTagNested(t *testing.T) { input := "<tag1><tag2><tag3>text</tag3></tag2></tag1>" outputOk := "<tag2>text</tag2>" p := NewPolicy() p.AllowElements("tag1", "tag3") p.AllowNoAttrs().OnElements("tag2") if output := p.Sanitize(input); output != outputOk { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, output, outputOk, ) } } func TestAddSpaces(t *testing.T) { p := UGCPolicy() p.AddSpaceWhenStrippingTag(true) tests := []test{ { in: `<foo>Hello</foo><bar>World</bar>`, expected: ` Hello World `, }, { in: `<p>Hello</p><bar>World</bar>`, expected: `<p>Hello</p> World `, }, { in: `<p>Hello</p><foo /><p>World</p>`, expected: `<p>Hello</p> <p>World</p>`, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestTargetBlankNoOpener(t *testing.T) { p := UGCPolicy() p.AddTargetBlankToFullyQualifiedLinks(true) p.AllowAttrs("target").Matching(Paragraph).OnElements("a") tests := []test{ { in: `<a href="/path" />`, expected: `<a href="/path" rel="nofollow"/>`, }, { in: `<a href="/path" target="_blank" />`, expected: `<a href="/path" target="_blank" rel="nofollow noopener"/>`, }, { in: `<a href="/path" target="foo" />`, expected: `<a href="/path" target="foo" rel="nofollow"/>`, }, { in: `<a href="https://www.google.com/" />`, expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`, }, { in: `<a href="https://www.google.com/" target="_blank"/>`, expected: `<a href="https://www.google.com/" target="_blank" rel="nofollow noopener"/>`, }, { in: `<a href="https://www.google.com/" rel="nofollow"/>`, expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`, }, { in: `<a href="https://www.google.com/" rel="noopener"/>`, expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`, }, { in: `<a href="https://www.google.com/" rel="noopener nofollow" />`, expected: `<a href="https://www.google.com/" rel="nofollow noopener" target="_blank"/>`, }, { in: `<a href="https://www.google.com/" target="foo" />`, expected: `<a href="https://www.google.com/" target="_blank" rel="nofollow noopener"/>`, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIFrameSandbox(t *testing.T) { p := NewPolicy() p.AllowAttrs("sandbox").OnElements("iframe") p.RequireSandboxOnIFrame(SandboxAllowForms, SandboxAllowPopups) in := `<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads allow-popups">` expected := `` out := p.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } } func TestSanitizedURL(t *testing.T) { tests := []test{ { in: `http://abc.com?d=1&a=2&a=3`, expected: `http://abc.com?d=1&a=2&a=3`, }, { in: `http://abc.com?d=1 2&a=2&a=3`, expected: `http://abc.com?d=1+2&a=2&a=3`, }, { in: `http://abc.com?d=1/2&a=2&a=3`, expected: `http://abc.com?d=1%2F2&a=2&a=3`, }, { in: `http://abc.com?=1&a=2&a=3`, expected: `http://abc.com?%26lt%3Bd%26gt%3B=1&a=2&a=3`, }, } for _, theTest := range tests { res, err := sanitizedURL(theTest.in) if err != nil { t.Errorf("sanitizedURL returned error: %v", err) } if theTest.expected != res { t.Errorf( "test failed;\ninput : %s\nexpected: %s, actual: %s", theTest.in, theTest.expected, res, ) } } } func TestIssue111ScriptTags(t *testing.T) { p1 := NewPolicy() p2 := UGCPolicy() p3 := UGCPolicy().AllowElements("script") in := `<script>alert(document.domain)</script>` expected := `<script>alert(document.domain)</script>` out := p1.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } expected = `<script>alert(document.domain)</script>` out = p2.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } expected = `<script>alert(document.domain)</script>` out = p3.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } } func TestQuotes(t *testing.T) { p := UGCPolicy() tests := []test{ { in: `noquotes`, expected: `noquotes`, }, { in: `"singlequotes"`, expected: `"singlequotes"`, }, { in: `""doublequotes""`, expected: `""doublequotes""`, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestComments(t *testing.T) { p := UGCPolicy() tests := []test{ { in: `1 3`, expected: `1 3`, }, { in: ``, expected: ``, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() p.AllowComments() tests = []test{ { in: `1 3`, expected: `1 3`, }, // Note that prior to go1.19 this test worked and preserved HTML comments // of the style used by Microsoft to create browser specific sections. // // However as @zhsj notes https://github.com/microcosm-cc/bluemonday/pull/148 // the commit https://github.com/golang/net/commit/06994584 broke this. // // I haven't found a way to allow MS style comments without creating a risk // for every user of bluemonday that utilises .AllowComments() { in: ``, expected: ``, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg = sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestDefaultStyleHandlers(t *testing.T) { tests := []test{ { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  aaaaaa`, expected: `
  aaaaaa`, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  ` + `
  `, expected: `
  ` + `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, } p := UGCPolicy() p.AllowStyles("nonexistentStyle", "align-content", "align-items", "align-self", "all", "animation", "animation-delay", "animation-direction", "animation-duration", "animation-fill-mode", "animation-iteration-count", "animation-name", "animation-play-state", "animation-timing-function", "backface-visibility", "background", "background-attachment", "background-blend-mode", "background-clip", "background-color", "background-image", "background-origin", "background-position", "background-repeat", "background-size", "border", "border-bottom", "border-bottom-color", "border-bottom-left-radius", "border-bottom-right-radius", "border-bottom-style", "border-bottom-width", "border-collapse", "border-color", "border-image", "border-image-outset", "border-image-repeat", "border-image-slice", "border-image-source", "border-image-width", "border-left", "border-left-color", "border-left-style", "border-left-width", "border-radius", "border-right", "border-right-color", "border-right-style", "border-right-width", "border-spacing", "border-style", "border-top", "border-top-color", "border-top-left-radius", "border-top-right-radius", "border-top-style", "border-top-width", "border-width", "bottom", "box-decoration-break", "box-shadow", "box-sizing", "break-after", "break-before", "break-inside", "caption-side", "caret-color", "clear", "clip", "color", "column-count", "column-fill", "column-gap", "column-rule", "column-rule-color", "column-rule-style", "column-rule-width", "column-span", "column-width", "columns", "cursor", "direction", "display", "empty-cells", "filter", "flex", "flex-basis", "flex-direction", "flex-flow", "flex-grow", "flex-shrink", "flex-wrap", "float", "font", "font-family", "font-kerning", "font-language-override", "font-size", "font-size-adjust", "font-stretch", "font-style", "font-synthesis", "font-variant", "font-variant-caps", "font-variant-position", "font-weight", "grid", "grid-area", "grid-auto-columns", "grid-auto-flow", "grid-auto-rows", "grid-column", "grid-column-end", "grid-column-gap", "grid-column-start", "grid-gap", "grid-row", "grid-row-end", "grid-row-gap", "grid-row-start", "grid-template", "grid-template-areas", "grid-template-columns", "grid-template-rows", "hanging-punctuation", "height", "hyphens", "image-rendering", "isolation", "justify-content", "left", "letter-spacing", "line-break", "line-height", "list-style", "list-style-image", "list-style-position", "list-style-type", "margin", "margin-bottom", "margin-left", "margin-right", "margin-top", "max-height", "max-width", "min-height", "min-width", "mix-blend-mode", "object-fit", "object-position", "opacity", "order", "orphans", "outline", "outline-color", "outline-offset", "outline-style", "outline-width", "overflow", "overflow-wrap", "overflow-x", "overflow-y", "padding", "padding-bottom", "padding-left", "padding-right", "padding-top", "page-break-after", "page-break-before", "page-break-inside", "perspective", "perspective-origin", "pointer-events", "position", "quotes", "resize", "right", "scroll-behavior", "tab-size", "table-layout", "text-align", "text-align-last", "text-combine-upright", "text-decoration", "text-decoration-color", "text-decoration-line", "text-decoration-style", "text-indent", "text-justify", "text-orientation", "text-overflow", "text-shadow", "text-transform", "top", "transform", "transform-origin", "transform-style", "transition", "transition-delay", "transition-duration", "transition-property", "transition-timing-function", "unicode-bidi", "user-select", "vertical-align", "visibility", "white-space", "widows", "width", "word-break", "word-spacing", "word-wrap", "writing-mode", "z-index").Globally() p.RequireParseableURLs(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestUnicodePoints(t *testing.T) { tests := []test{ { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, } p := UGCPolicy() p.AllowStyles("color").Globally() p.RequireParseableURLs(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestMatchingHandler(t *testing.T) { truthHandler := func(value string) bool { return true } tests := []test{ { in: `
  `, expected: `
  `, }, } p := UGCPolicy() p.AllowStyles("color").MatchingHandler(truthHandler).Globally() p.RequireParseableURLs(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestStyleBlockHandler(t *testing.T) { truthHandler := func(value string) bool { return true } tests := []test{ { in: ``, expected: ``, }, } p := UGCPolicy() p.AllowStyles("color").MatchingHandler(truthHandler).Globally() p.RequireParseableURLs(true) // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestAdditivePolicies(t *testing.T) { t.Run("AllowAttrs", func(t *testing.T) { p := NewPolicy() p.AllowAttrs("class").Matching(regexp.MustCompile("red")).OnElements("span") t.Run("red", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowAttrs("class").Matching(regexp.MustCompile("green")).OnElements("span") t.Run("green", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowAttrs("class").Matching(regexp.MustCompile("yellow")).OnElements("span") t.Run("yellow", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) }) t.Run("AllowStyles", func(t *testing.T) { p := NewPolicy() p.AllowAttrs("style").OnElements("span") p.AllowStyles("color").Matching(regexp.MustCompile("red")).OnElements("span") t.Run("red", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowStyles("color").Matching(regexp.MustCompile("green")).OnElements("span") t.Run("green", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowStyles("color").Matching(regexp.MustCompile("yellow")).OnElements("span") t.Run("yellow", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) }) t.Run("AllowURLSchemeWithCustomPolicy", func(t *testing.T) { p := NewPolicy() p.AllowAttrs("href").OnElements("a") p.AllowURLSchemeWithCustomPolicy( "http", func(url *url.URL) bool { return url.Hostname() == "example.org" }, ) t.Run("example.org", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowURLSchemeWithCustomPolicy( "http", func(url *url.URL) bool { return url.Hostname() == "example2.org" }, ) t.Run("example2.org", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) p.AllowURLSchemeWithCustomPolicy( "http", func(url *url.URL) bool { return url.Hostname() == "example3.org" }, ) t.Run("example3.org", func(t *testing.T) { tests := []test{ { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, { in: `test`, expected: `test`, }, } for ii, tt := range tests { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } } }) }) } func TestHrefSanitization(t *testing.T) { tests := []test{ { in: `abcCLICK`, expected: `abc CLICK`, }, { in: ``, expected: ``, }, } p := UGCPolicy() // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestInsertionModeSanitization(t *testing.T) { tests := []test{ { in: `
  git diff
  `, expected: `
  git diff
  `, } out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected, ) } tt = test{ in: `
  git diff
  `, expected: `
  git diff
  `, } out = p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected, ) } p.AddTargetBlankToFullyQualifiedLinks(true) tt = test{ in: `
  git diff
  `, expected: `
  git diff
  `, } out = p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected, ) } tt = test{ in: `
  git diff
  `, expected: `
  git diff
  `, } out = p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected, ) } tt = test{ in: `
  git diff
  `, expected: `
  git diff
  `, } out = p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected, ) } } func TestIssue18(t *testing.T) { p := UGCPolicy() p.AllowAttrs("color").OnElements("font") p.AllowElements("font") tt := test{ in: `No link here. link here. Should not be linked here.`, expected: `No link here. link here. Should not be linked here.`, } out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", tt.in, out, tt.expected) } } func TestIssue23(t *testing.T) { p := NewPolicy() p.SkipElementsContent("tag1", "tag2") input := `cutharm123234` out := p.Sanitize(input) expected := "" if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } p = NewPolicy() p.SkipElementsContent("tag") p.AllowElements("p") input = `234
  asd
  ` out = p.Sanitize(input) expected = "" if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } p = NewPolicy() p.SkipElementsContent("tag") p.AllowElements("p", "br") input = `234
  as
  d
  ` out = p.Sanitize(input) expected = "" if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue51(t *testing.T) { // Whitespace in URLs is permitted within HTML according to: // https://dev.w3.org/html5/spec-LC/urls.html#parsing-urls // // We were aggressively rejecting URLs that contained line feeds but these // are permitted. // // This test ensures that we do not regress that fix. p := NewPolicy() p.AllowImages() p.AllowDataURIImages() input := `` out := p.Sanitize(input) expected := `` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } input = `` out = p.Sanitize(input) expected = `` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue55(t *testing.T) { p1 := NewPolicy() p2 := UGCPolicy() p3 := UGCPolicy().AllowElements("script").AllowUnsafe(true) in := `` expected := `` out := p1.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } expected = `` out = p2.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } expected = `` out = p3.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } } func TestIssue85(t *testing.T) { p := UGCPolicy() p.AllowAttrs("rel").OnElements("a") p.RequireNoReferrerOnLinks(true) p.AddTargetBlankToFullyQualifiedLinks(true) p.AllowAttrs("target").Matching(Paragraph).OnElements("a") tests := []test{ { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIssue107(t *testing.T) { p := UGCPolicy() p.RequireCrossOriginAnonymous(true) p1 := UGCPolicy() p1.RequireCrossOriginAnonymous(true) p1.AllowAttrs("crossorigin").Globally() tests := []test{ { in: ``, expected: ``, }, { in: ``, expected: ``, }, { in: ``, expected: ``, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } out = p1.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed with policy p1;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIssue134(t *testing.T) { // Do all the methods work? // // Are all the times roughly consistent? in := `
  ` expected := `
  ` p := UGCPolicy() p.AllowAttrs("style").OnElements("p") t.Run("Sanitize", func(t *testing.T) { out := p.Sanitize(in) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } }) t.Run("SanitizeReader", func(t *testing.T) { out := p.SanitizeReader(strings.NewReader(in)).String() if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } }) t.Run("SanitizeBytes", func(t *testing.T) { out := string(p.SanitizeBytes([]byte(in))) if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } }) t.Run("SanitizeReaderToWriter", func(t *testing.T) { var buff bytes.Buffer var out string p.SanitizeReaderToWriter(strings.NewReader(in), &buff) out = (&buff).String() if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", in, out, expected, ) } }) } func TestIssue139(t *testing.T) { // HTML escaping of attribute values appears to occur twice tests := []test{ { in: `
  `, expected: `
  `, }, } p := UGCPolicy() p.AllowAttrs("style").OnElements("p") // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIssue143(t *testing.T) { // HTML escaping of attribute values appears to occur twice tests := []test{ { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, { in: `
  `, expected: `
  `, }, } p := UGCPolicy() p.AllowAttrs("title").OnElements("p") // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIssue146(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/146 // // Ask for image/svg+xml to be accepted. // This blog https://digi.ninja/blog/svg_xss.php shows that inline images // that are SVG are considered safe, so I've added that and this test // verifies that it works. p := NewPolicy() p.AllowImages() p.AllowDataURIImages() input := `` out := p.Sanitize(input) expected := `` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue147(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/147 // // ``` // p.AllowElementsMatching(regexp.MustCompile(`^custom-`)) // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)) // ``` // This does not work as expected. This looks like a limitation, and the // question is whether the matching has to be applied in a second location // to overcome the limitation. // // However the issue is really that the `.Matching()` returns an attribute // test that has to be bound to some elements, it isn't a global test. // // This should work: // ``` // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)).OnElementsMatching(regexp.MustCompile(`^custom-`)) // ``` p := NewPolicy() p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)).OnElementsMatching(regexp.MustCompile(`^custom-`)) input := `example` out := p.Sanitize(input) expected := `example` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestRemovingEmptySelfClosingTag(t *testing.T) { p := NewPolicy() // Only broke when attribute policy was specified. p.AllowAttrs("type").OnElements("input") input := `` out := p.Sanitize(input) expected := `` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue161(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/161 // // ``` // p.AllowElementsMatching(regexp.MustCompile(`^custom-`)) // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)) // ``` // This does not work as expected. This looks like a limitation, and the // question is whether the matching has to be applied in a second location // to overcome the limitation. // // However the issue is really that the `.Matching()` returns an attribute // test that has to be bound to some elements, it isn't a global test. // // This should work: // ``` // p.AllowNoAttrs().Matching(regexp.MustCompile(`^custom-`)).OnElementsMatching(regexp.MustCompile(`^custom-`)) // ``` p := UGCPolicy() p.AllowElements("picture", "source") p.AllowAttrs("srcset", "src", "type", "media").OnElements("source") input := `` out := p.Sanitize(input) expected := input if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue171(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/171 // // Trailing spaces in the style attribute should not cause the value to be omitted p := UGCPolicy() p.AllowAttrs("style").OnElements("p") p.AllowStyles("color", "text-align").OnElements("p") input := `
  ` out := p.Sanitize(input) expected := `
  ` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestIssue174(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/174 // // Allow all URL schemes p := UGCPolicy() p.AllowURLSchemesMatching(regexp.MustCompile(`.+`)) input := ` ` out := p.Sanitize(input) expected := ` ` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } // Custom handling of specific URL schemes even if the regex allows all p.AllowURLSchemeWithCustomPolicy("javascript", func(*url.URL) bool { return false }) input = ` xss` out = p.Sanitize(input) expected = ` xss` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } } func TestXSSGo18(t *testing.T) { p := UGCPolicy() tests := []test{ { in: ``, expected: ``, }, { in: "", expected: ``, }, } // These tests are run concurrently to enable the race detector to pick up // potential issues wg := sync.WaitGroup{} wg.Add(len(tests)) for ii, tt := range tests { go func(ii int, tt test) { out := p.Sanitize(tt.in) if out != tt.expected { t.Errorf( "test %d failed;\ninput : %s\noutput : %s\nexpected: %s", ii, tt.in, out, tt.expected, ) } wg.Done() }(ii, tt) } wg.Wait() } func TestIssue208(t *testing.T) { // https://github.com/microcosm-cc/bluemonday/issues/208 p := NewPolicy() p.AllowElements("span") p.AllowAttrs("title").Matching(Paragraph).Globally() p.AllowAttrs("title").Matching(regexp.MustCompile(`.*`)).Globally() input := `b` out := p.Sanitize(input) expected := `b` if out != expected { t.Errorf( "test failed;\ninput : %s\noutput : %s\nexpected: %s", input, out, expected) } }

git diff

git diff

git diff

git diff

git diff

git diff

git diff

git diff

git diff

git diff