crashkeys.dev / markdown-rs
Markdown parser fork with extended syntax for personal use.
fork atom
markdown-rs / tests / misc_dangerous_protocol.rs
at main 228 lines 5.5 kB view raw
Ophir LOJKINE Add `allow_any_img_src` option
e923a3ca
1use markdown::to_html; 2use pretty_assertions::assert_eq; 3 4#[test] 5fn dangerous_protocol_autolink() { 6 assert_eq!( 7 to_html("<javascript:alert(1)>"), 8 "<p><a href=\"\">javascript:alert(1)</a></p>", 9 "should be safe by default" 10 ); 11 12 assert_eq!( 13 to_html("<http://a>"), 14 "<p><a href=\"http://a\">http://a</a></p>", 15 "should allow `http:`" 16 ); 17 18 assert_eq!( 19 to_html("<https://a>"), 20 "<p><a href=\"https://a\">https://a</a></p>", 21 "should allow `https:`" 22 ); 23 24 assert_eq!( 25 to_html("<irc:///help>"), 26 "<p><a href=\"irc:///help\">irc:///help</a></p>", 27 "should allow `irc:`" 28 ); 29 30 assert_eq!( 31 to_html("<mailto:a>"), 32 "<p><a href=\"mailto:a\">mailto:a</a></p>", 33 "should allow `mailto:`" 34 ); 35} 36 37#[test] 38fn dangerous_protocol_image() { 39 assert_eq!( 40 to_html("![](javascript:alert(1))"), 41 "<p><img src=\"\" alt=\"\" /></p>", 42 "should be safe by default" 43 ); 44 45 assert_eq!( 46 to_html("![](http://a)"), 47 "<p><img src=\"http://a\" alt=\"\" /></p>", 48 "should allow `http:`" 49 ); 50 51 assert_eq!( 52 to_html("![](https://a)"), 53 "<p><img src=\"https://a\" alt=\"\" /></p>", 54 "should allow `https:`" 55 ); 56 57 assert_eq!( 58 to_html("![](irc:///help)"), 59 "<p><img src=\"\" alt=\"\" /></p>", 60 "should not allow `irc:`" 61 ); 62 63 assert_eq!( 64 to_html("![](mailto:a)"), 65 "<p><img src=\"\" alt=\"\" /></p>", 66 "should not allow `mailto:`" 67 ); 68 69 assert_eq!( 70 to_html("![](#a)"), 71 "<p><img src=\"#a\" alt=\"\" /></p>", 72 "should allow a hash" 73 ); 74 75 assert_eq!( 76 to_html("![](?a)"), 77 "<p><img src=\"?a\" alt=\"\" /></p>", 78 "should allow a search" 79 ); 80 81 assert_eq!( 82 to_html("![](/a)"), 83 "<p><img src=\"/a\" alt=\"\" /></p>", 84 "should allow an absolute" 85 ); 86 87 assert_eq!( 88 to_html("![](./a)"), 89 "<p><img src=\"./a\" alt=\"\" /></p>", 90 "should allow an relative" 91 ); 92 93 assert_eq!( 94 to_html("![](../a)"), 95 "<p><img src=\"../a\" alt=\"\" /></p>", 96 "should allow an upwards relative" 97 ); 98 99 assert_eq!( 100 to_html("![](a#b:c)"), 101 "<p><img src=\"a#b:c\" alt=\"\" /></p>", 102 "should allow a colon in a hash" 103 ); 104 105 assert_eq!( 106 to_html("![](a?b:c)"), 107 "<p><img src=\"a?b:c\" alt=\"\" /></p>", 108 "should allow a colon in a search" 109 ); 110 111 assert_eq!( 112 to_html("![](a/b:c)"), 113 "<p><img src=\"a/b:c\" alt=\"\" /></p>", 114 "should allow a colon in a path" 115 ); 116} 117 118#[test] 119fn dangerous_protocol_link() { 120 assert_eq!( 121 to_html("[](javascript:alert(1))"), 122 "<p><a href=\"\"></a></p>", 123 "should be safe by default" 124 ); 125 126 assert_eq!( 127 to_html("[](http://a)"), 128 "<p><a href=\"http://a\"></a></p>", 129 "should allow `http:`" 130 ); 131 132 assert_eq!( 133 to_html("[](https://a)"), 134 "<p><a href=\"https://a\"></a></p>", 135 "should allow `https:`" 136 ); 137 138 assert_eq!( 139 to_html("[](irc:///help)"), 140 "<p><a href=\"irc:///help\"></a></p>", 141 "should allow `irc:`" 142 ); 143 144 assert_eq!( 145 to_html("[](mailto:a)"), 146 "<p><a href=\"mailto:a\"></a></p>", 147 "should allow `mailto:`" 148 ); 149 150 assert_eq!( 151 to_html("[](#a)"), 152 "<p><a href=\"#a\"></a></p>", 153 "should allow a hash" 154 ); 155 156 assert_eq!( 157 to_html("[](?a)"), 158 "<p><a href=\"?a\"></a></p>", 159 "should allow a search" 160 ); 161 162 assert_eq!( 163 to_html("[](/a)"), 164 "<p><a href=\"/a\"></a></p>", 165 "should allow an absolute" 166 ); 167 168 assert_eq!( 169 to_html("[](./a)"), 170 "<p><a href=\"./a\"></a></p>", 171 "should allow an relative" 172 ); 173 174 assert_eq!( 175 to_html("[](../a)"), 176 "<p><a href=\"../a\"></a></p>", 177 "should allow an upwards relative" 178 ); 179 180 assert_eq!( 181 to_html("[](a#b:c)"), 182 "<p><a href=\"a#b:c\"></a></p>", 183 "should allow a colon in a hash" 184 ); 185 186 assert_eq!( 187 to_html("[](a?b:c)"), 188 "<p><a href=\"a?b:c\"></a></p>", 189 "should allow a colon in a search" 190 ); 191 192 assert_eq!( 193 to_html("[](a/b:c)"), 194 "<p><a href=\"a/b:c\"></a></p>", 195 "should allow a colon in a path" 196 ); 197} 198 199#[test] 200fn dangerous_protocol_image_with_option() { 201 use markdown::{to_html_with_options, CompileOptions, Options}; 202 203 let options = Options { 204 compile: CompileOptions { 205 allow_any_img_src: true, 206 ..Default::default() 207 }, 208 ..Default::default() 209 }; 210 211 let result = to_html_with_options("![](javascript:alert(1))", &options).unwrap(); 212 assert_eq!( 213 result, "<p><img src=\"javascript:alert(1)\" alt=\"\" /></p>", 214 "should allow javascript protocol with allow_any_img_src option" 215 ); 216 217 let result = to_html_with_options("![](irc:///help)", &options).unwrap(); 218 assert_eq!( 219 result, "<p><img src=\"irc:///help\" alt=\"\" /></p>", 220 "should allow irc protocol with allow_any_img_src option" 221 ); 222 223 let result = to_html_with_options("![](mailto:a)", &options).unwrap(); 224 assert_eq!( 225 result, "<p><img src=\"mailto:a\" alt=\"\" /></p>", 226 "should allow mailto protocol with allow_any_img_src option" 227 ); 228}