|
|
@@ -33,4 +33,45 @@ class URLTest < ActiveSupport::TestCase |
|
|
|
assert_not uri_with_safe_scheme?("httpx://example.com/") |
|
|
|
assert_not uri_with_safe_scheme?("mailto:root@") |
|
|
|
end |
|
|
|
|
|
|
|
LINK_SAFE_URIS = [ |
|
|
|
"http://example.com/", |
|
|
|
"https://example.com/", |
|
|
|
"ftp://example.com/", |
|
|
|
"foo://example.org", |
|
|
|
"mailto:foo@example.org", |
|
|
|
" http://example.com/", |
|
|
|
"", |
|
|
|
"/javascript:alert(\'filename\')", |
|
|
|
] |
|
|
|
|
|
|
|
def test_uri_with_link_safe_scheme_should_recognize_safe_uris |
|
|
|
LINK_SAFE_URIS.each do |uri| |
|
|
|
assert uri_with_link_safe_scheme?(uri), "'#{uri}' should be safe" |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
LINK_UNSAFE_URIS = [ |
|
|
|
"javascript:alert(\'XSS\');", |
|
|
|
"javascript :alert(\'XSS\');", |
|
|
|
"javascript: alert(\'XSS\');", |
|
|
|
"javascript : alert(\'XSS\');", |
|
|
|
":javascript:alert(\'XSS\');", |
|
|
|
"javascript:", |
|
|
|
"javascript:", |
|
|
|
"javascript:", |
|
|
|
"javascript:", |
|
|
|
"java\0script:alert(\"XSS\")", |
|
|
|
"java\script:alert(\"XSS\")", |
|
|
|
" \x0e javascript:alert(\'XSS\');", |
|
|
|
"data:image/png;base64,foobar", |
|
|
|
"vbscript:foobar", |
|
|
|
"data:text/html;base64,foobar", |
|
|
|
] |
|
|
|
|
|
|
|
def test_uri_with_link_safe_scheme_should_recognize_unsafe_uris |
|
|
|
LINK_UNSAFE_URIS.each do |uri| |
|
|
|
assert_not uri_with_link_safe_scheme?(uri), "'#{uri}' should not be safe" |
|
|
|
end |
|
|
|
end |
|
|
|
end |