sanitizer-removeUnsafe.tentative.html

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /sanitizer-api/sanitizer-removeUnsafe.tentative.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<html>

<head>

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

</head>

<body>

<script>

test(t => {

  // Create an empty config.

  let s = new Sanitizer({});

  // Remove everything unsafe.

  s.removeUnsafe();

  let config = s.get();

  assert_equals(config.elements.length, 0, "no elements");

  assert_equals(config.replaceWithChildrenElements.length, 0, "no replaceWithChildrenElements");

  assert_equals(config.attributes.length, 0, "no attributes");

  // https://wicg.github.io/sanitizer-api/#built-in-safe-baseline-configuration

  const SAFE_BASELINE = {

    "removeElements": [

        "namespace": "http://www.w3.org/1999/xhtml",

        "name": "script"

},

        "namespace": "http://www.w3.org/1999/xhtml",

        "name": "frame"

},

        "namespace": "http://www.w3.org/1999/xhtml",

        "name": "iframe"

},

        "namespace": "http://www.w3.org/1999/xhtml",

        "name": "object"

},

        "namespace": "http://www.w3.org/1999/xhtml",

        "name": "embed"

},

        "namespace": "http://www.w3.org/2000/svg",

        "name": "script"

},

        "namespace": "http://www.w3.org/2000/svg",

        "name": "use"

],

    "removeAttributes": []

};

  assert_equals(config.removeElements.length, SAFE_BASELINE.removeElements.length);

  for (let i = 0; i < SAFE_BASELINE.removeElements.length; i++) {

    let element = config.removeElements[i];

    assert_own_property(element, "name");

    assert_equals(element.name, SAFE_BASELINE.removeElements[i].name);

    assert_own_property(element, "namespace");

    assert_equals(element.namespace, SAFE_BASELINE.removeElements[i].namespace);

  // This list depends on the implementation defined "event handler content attributes"

  assert_true(config.removeAttributes.length > 0, "Has removeAttributes");

  for (let attribute of config.removeAttributes) {

    assert_own_property(attribute, "name");

    assert_true(attribute.name.startsWith("on"), `attribute '${attribute.name}' starts with "on"`);

    assert_own_property(attribute, "namespace"); // XXX Maybe optional?

    assert_equals(attribute.namespace, null, "attribute is in null namespace");

}, "removeUnsafe removes the right elements and attributes");

test(t => {

  let s = new Sanitizer("default");

  let before = s.get();

  let s2 = new Sanitizer("default");

  s2.removeUnsafe();

  let after = s2.get();

  // None of the default config elements are unsafe.

  assert_true(before.elements.length > 0);

  assert_equals(before.elements.length, after.elements.length, "elements don't change");

  // Not in default config.

  assert_equals(before.replaceWithChildrenElements.length, 0);

  assert_equals(after.replaceWithChildrenElements.length, 0);

  assert_equals(before.removeElements.length, 0);

  assert_equals(after.removeElements.length, 7, "removeElements are added");

  // None of the default config attributes are unsafe.

  assert_true(before.attributes.length > 0);

  assert_equals(before.attributes.length, after.attributes.length, "attributes don't change");

  // Imeplementation defined "event handler content attributes"

  assert_equals(before.removeAttributes.length, 0);

  assert_true(after.removeAttributes.length > 0, "removeAttributes are added");

}, "removeUnsafe with default config")

</script>

</body>

</html>