From 5668ce1ec701ed12eb099020e8a322de08e6f810 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Thu, 26 May 2022 11:37:13 +0200 Subject: [bugfix] Fix HTML escaping in instance title (#607) * move caption sanitization -> sanitize.go * use sanitizeplaintext rather than removehtml * rename sanitizecaption to sanitizeplaintext * avoid removing html twice from statuses * unexport remoteHTML it's no longer used outside the text package so this makes it less confusing * test instance PATCH --- internal/text/sanitize_test.go | 68 ++++++++++++++++++++++++++++-------------- 1 file changed, 46 insertions(+), 22 deletions(-) (limited to 'internal/text/sanitize_test.go') diff --git a/internal/text/sanitize_test.go b/internal/text/sanitize_test.go index 4270e2602..eea5daadb 100644 --- a/internal/text/sanitize_test.go +++ b/internal/text/sanitize_test.go @@ -26,17 +26,8 @@ import ( ) const ( - removeHTML = `

Another test @foss_satan

#Hashtag

Text

` - removedHTML = `Another test @foss_satan#HashtagText` - - sanitizeHTML = `here's some naughty html: !!!` - sanitizedHTML = `here's some naughty html: !!!` - - withEscapedLiteral = `it\u0026amp;#39;s its it is` - withEscapedLiteralExpected = `it\u0026amp;#39;s its it is` - withEscaped = "it\u0026amp;#39;s its it is" - withEscapedExpected = "it&#39;s its it is" - + sanitizeHTML = `here's some naughty html: !!!` + sanitizedHTML = `here's some naughty html: !!!` sanitizeOutgoing = `

gotta test some fucking ''''''''' marks

` sanitizedOutgoing = `

gotta test some fucking ''''''''' marks

` ) @@ -45,11 +36,6 @@ type SanitizeTestSuite struct { suite.Suite } -func (suite *SanitizeTestSuite) TestRemoveHTML() { - s := text.RemoveHTML(removeHTML) - suite.Equal(removedHTML, s) -} - func (suite *SanitizeTestSuite) TestSanitizeOutgoing() { s := text.SanitizeHTML(sanitizeOutgoing) suite.Equal(sanitizedOutgoing, s) @@ -60,14 +46,52 @@ func (suite *SanitizeTestSuite) TestSanitizeHTML() { suite.Equal(sanitizedHTML, s) } -func (suite *SanitizeTestSuite) TestSanitizeWithEscapedLiteral() { - s := text.RemoveHTML(withEscapedLiteral) - suite.Equal(withEscapedLiteralExpected, s) +func (suite *SanitizeTestSuite) TestSanitizeCaption1() { + dodgyCaption := "this is just a normal caption ;)" + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("this is just a normal caption ;)", sanitized) +} + +func (suite *SanitizeTestSuite) TestSanitizeCaption2() { + dodgyCaption := "here's a LOUD caption" + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("here's a LOUD caption", sanitized) +} + +func (suite *SanitizeTestSuite) TestSanitizeCaption3() { + dodgyCaption := "" + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("", sanitized) +} + +func (suite *SanitizeTestSuite) TestSanitizeCaption4() { + dodgyCaption := ` + + +here is +a multi line +caption +with some newlines + + + +` + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("here is\na multi line\ncaption\nwith some newlines", sanitized) +} + +func (suite *SanitizeTestSuite) TestSanitizeCaption5() { + // html-escaped: " hello world" + dodgyCaption := `<script>console.log('aha!')</script> hello world` + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("hello world", sanitized) } -func (suite *SanitizeTestSuite) TestSanitizeWithEscaped() { - s := text.RemoveHTML(withEscaped) - suite.Equal(withEscapedExpected, s) +func (suite *SanitizeTestSuite) TestSanitizeCaption6() { + // html-encoded: " hello world" + dodgyCaption := `<script>console.log('aha!')</script> hello world` + sanitized := text.SanitizePlaintext(dodgyCaption) + suite.Equal("hello world", sanitized) } func TestSanitizeTestSuite(t *testing.T) { -- cgit v1.2.3