Added more tests and discovered a couple more issues.

48b29ea5 · Kohsuke Kawaguchi · ff8268da · 48b29ea5 · 48b29ea5
2 changed file
--- a/core/src/main/java/hudson/markup/MyspacePolicy.java
+++ b/core/src/main/java/hudson/markup/MyspacePolicy.java
@@ -58,7 +58,7 @@ public class MyspacePolicy {
            tag("select",   "multiple");
            tag("option",   "value","label","selected");
            tag("textarea");
-            tag("h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,lockquote");
+            tag("h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,blockquote");
            tag("hr,br,col");
            tag("font", "color", "face", "size");
            tag("a",        "nohref","rel");
@@ -66,6 +66,7 @@ public class MyspacePolicy {
            tag("span,div");
            tag("img",      "src",ONSITE_OR_OFFSITE_URL,
                            "hspace","vspace");
+            tag("iframe",   "src");
            tag("link",     "type","rel");
            tag("ul,ol,li,dd,dl,dt,thead,tbody,tfoot");
            tag("table",    "noresize");
@@ -73,12 +74,13 @@ public class MyspacePolicy {
            tag("colgroup", "span");
            tag("col",      "span");
            tag("fieldset,legend");
+            allowStandardUrlProtocols();
        }}.toFactory();
    }

    public static void main(String[] args) throws IOException {
        // Fetch the HTML to sanitize.
-        String html = "<button name='foo' value='xyz' disabled='true'>abc</button><br><script>foo</script>";
+        String html = "<a href='http://www.google.com/'>Google</a><img src='http://www.yahoo.com'>";
        // Set up an output channel to receive the sanitized HTML.
        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
                System.out,

--- a/core/src/test/java/hudson/markup/MyspacePolicyTest.java
+++ b/core/src/test/java/hudson/markup/MyspacePolicyTest.java
+package hudson.markup;
+
+import com.google.common.base.Throwables;
+import org.junit.Assert;
+import org.junit.Test;
+import org.owasp.html.Handler;
+import org.owasp.html.HtmlSanitizer;
+import org.owasp.html.HtmlStreamRenderer;
+
+import java.io.IOException;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class MyspacePolicyTest extends Assert {
+    @Test
+    public void testPolicy() {
+        assertIntact("<a href='http://www.cloudbees.com'>CB</a>");
+        assertIntact("<a href='relative/link'>relative</a>");
+        assertIntact("<a href='mailto:kk&#64;kohsuke.org'>myself</a>");
+        assertReject("javascript","<a href='javascript:alert(5)'>test</a>");
+
+        assertIntact("<img src='http://www.cloudbees.com'>");
+        assertIntact("<img src='relative/test.png'>");
+        assertIntact("<img src='relative/test.png'>");
+        assertReject("javascript","<img src='javascript:alert(5)'>");
+
+        assertIntact("<b><i><u><strike>basic tag</strike></u></i></b>");
+        assertIntact("<div><p>basic block tags</p></div>");
+
+        assertIntact("<ul><li>1</li><li>2</li><li>3</li></ul>");
+        assertIntact("<ol><li>x</li></ol>");
+        assertIntact("<dl><dt>abc</dt><dd>foo</dd></dl>");
+        assertIntact("<table><tr><th>header</th></tr><tr><td>something</td></tr></table>");
+        assertIntact("<h1>title</h1><blockquote>blurb</blockquote>");
+
+        assertIntact("<iframe src='nested'></iframe>");
+        assertIntact("<iframe src='http://kohsuke.org'></iframe>");
+        assertReject("javascript","<iframe src='javascript:foo'></iframe>");
+
+        assertReject("script","<script>window.alert(5);</script>");
+        assertReject("script","<script src='http://foo/evil.js'></script>");
+        assertReject("script","<script src='relative.js'></script>");
+
+        assertIntact("<style>H1 { display:none; }</style>");
+        assertIntact("<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>");
+        assertIntact("<div style='background-color:white'>inline CSS</div>");
+        assertIntact("<br><hr>");
+
+        assertIntact("<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
+    }
+
+    private void assertIntact(String input) {
+        input = input.replace('\'','\"');
+        assertSanitize(input,input);
+    }
+    
+    private void assertReject(String problematic, String input) {
+        String out = sanitize(input);
+        assertFalse(out, out.contains(problematic));
+    }
+    
+    private void assertSanitize(String expected, String input) {
+        assertEquals(expected,sanitize(input));
+    }
+
+    private String sanitize(String input) {
+        StringBuilder buf = new StringBuilder();
+        HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
+                buf,
+                // Receives notifications on a failure to write to the output.
+                new Handler<IOException>() {
+                    public void handle(IOException ex) {
+                        Throwables.propagate(ex);  // System.out suppresses IOExceptions
+                    }
+                },
+                // Our HTML parser is very lenient, but this receives notifications on
+                // truly bizarre inputs.
+                new Handler<String>() {
+                    public void handle(String x) {
+                        throw new AssertionError(x);
+                    }
+                }
+        );
+        HtmlSanitizer.sanitize(input, MyspacePolicy.POLICY_DEFINITION.apply(renderer));
+        return buf.toString();
+    }
+}