test_sanitizer_api.html

mozilla-central/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

Test Info:

Manifest: dom/security/sanitizer/tests/mochitest/mochitest.toml

<!DOCTYPE HTML>

<title>Test sanitizer api</title>

<script src="/tests/SimpleTest/SimpleTest.js"></script>

<link rel="stylesheet" href="/tests/SimpleTest/test.css" />

<script type="text/javascript">

"use strict";

/* global Sanitizer */

// we're not done after "onload"

SimpleTest.waitForExplicitFinish();

(async function() {

  // Ensure Sanitizer is not exposed when the pref is false

  const isEnabled = SpecialPowers.getBoolPref("dom.security.sanitizer.enabled");

  if (!isEnabled) {

    ok(false, "This test should only be run with dom.security.sanitizer.enabled set to true");

    SimpleTest.finish();

  // basic interface smoke test

  ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on");

  const mySanitizer = new Sanitizer();

  ok(mySanitizer, "Sanitizer constructor works");

  ok("setHTML" in Element.prototype, "Element.setHTML exists");

  // testing sanitizer results

  const testCases = [

      testString: "<p>hello</p>",

      testExpected: "<p>hello</p>",

      sanitizerOptions: {}

},

      testString: "<p>hello</p>",

      testExpected: "<p>hello</p>",

      sanitizerOptions: "default"

},

/*

      // script element encoded to not confuse the HTML parser and end execution here

      testString: "<p>second test</p><script>alert(1)\x3C/script>",

      testExpected: "<p>second test</p>",

      sanitizerOptions: {},

},

      // test for the elements option

      testString: "<p>hello <i>folks</i></p>",

      testExpected: "<p>hello folks</p>",

      sanitizerOptions: { elements: ["p"] },

},

      // test for the replaceWithChildrenElements option

      testString: "<p>hello <i>folks</i></p>",

      testExpected: "<p>hello folks</p>",

      sanitizerOptions: { replaceWithChildrenElements: ["i"] },

},

*/

    // TODO: Unknown attributes aren't supported yet.

    // {

    //   // test for the allowAttributes option

    //   testString: `<p haha="lol">hello</p>`,

    //   testExpected: `<p haha="lol">hello</p>`,

    //   sanitizerOptions: { unknownMarkup: true, attributes: ["haha"] },

    // },

/*

      // confirming the inverse

      testString: `<p haha="lol">hello</p>`,

      testExpected: `<p>hello</p>`,

      sanitizerOptions: {},

},

      // test for the removeAttributes option

      testString: `<p title="dropme">hello</p>`,

      testExpected: `<p>hello</p>`,

      sanitizerOptions: { removeAttributes: ['title'] },

},

      // confirming the inverse

      testString: `<p title="dontdropme">hello</p>`,

      testExpected: `<p title="dontdropme">hello</p>`,

      sanitizerOptions: {},

},

      // if an attribute is allowed and removed, the remove will take preference

      testString: `<p title="lol">hello</p>`,

      testExpected: `<p>hello</p>`,

      sanitizerOptions: {

        attributes: ["title"],

        removeAttributes: ["title"],

},

},

*/

];

  const div = document.createElement("div");

  for (let test of testCases) {

    const {testString, testExpected, sanitizerOptions} = test;

    try {

      div.setHTML(testString, { sanitizer: sanitizerOptions });

      is(div.innerHTML, testExpected, `div.setHTML should turn '${testString}' into '${testExpected}' (options: ${JSON.stringify(sanitizerOptions)})`);

    catch (e) {

      ok(false, 'Error in setHTML() test: ' + e)

  SimpleTest.finish();

})();

</script>