test: pin data and vbscript url stripping
This commit is contained in:
@@ -9,6 +9,12 @@ describe('sanitizeHtml', () => {
|
||||
it('strips script/style/iframe and event handlers', () => {
|
||||
expect(sanitizeHtml('<p onclick="x()">a</p><script>evil()</script><iframe src="x"></iframe>')).toBe('<p>a</p>');
|
||||
});
|
||||
it('strips data: and vbscript: urls', () => {
|
||||
expect(sanitizeHtml('<a href="data:text/html,x">y</a>')).toBe('<a>y</a>');
|
||||
expect(sanitizeHtml('<img src="data:image/svg+xml,x">')).toBe('<img>');
|
||||
expect(sanitizeHtml('<a href="vbscript:x">y</a>')).toBe('<a>y</a>');
|
||||
});
|
||||
|
||||
it('keeps safe links and images, strips javascript: urls', () => {
|
||||
expect(sanitizeHtml('<a href="https://x.y">l</a><a href="javascript:e()">m</a><img src="https://x.y/i.png" alt="i">'))
|
||||
.toBe('<a href="https://x.y">l</a><a>m</a><img src="https://x.y/i.png" alt="i">');
|
||||
|
||||
Reference in New Issue
Block a user