package org.jsoup.safety; import org.jsoup.Jsoup; import org.jsoup.MultiLocaleExtension.MultiLocaleTest; import org.jsoup.TextUtil; import org.jsoup.nodes.Document; import org.jsoup.nodes.Element; import org.jsoup.nodes.Entities; import org.jsoup.nodes.Range; import org.jsoup.parser.Parser; import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; import java.util.Arrays; import java.util.Locale; import static org.junit.jupiter.api.Assertions.*; /** Tests for the cleaner. @author Jonathan Hedley, jonathan@hedley.net */ public class CleanerTest { @Test public void simpleBehaviourTest() { String h = "

Hello there!

"; String cleanHtml = Jsoup.clean(h, Safelist.simpleText()); assertEquals("Hello there!", TextUtil.stripNewlines(cleanHtml)); } @Test public void simpleBehaviourTest2() { String h = "Hello there!"; String cleanHtml = Jsoup.clean(h, Safelist.simpleText()); assertEquals("Hello there!", TextUtil.stripNewlines(cleanHtml)); } @Test public void basicBehaviourTest() { String h = "

Dodgy Nice

Hello
"; String cleanHtml = Jsoup.clean(h, Safelist.basic()); assertEquals("

Dodgy Nice

Hello
", TextUtil.stripNewlines(cleanHtml)); } @Test public void basicWithImagesTest() { String h = "

Image

"; String cleanHtml = Jsoup.clean(h, Safelist.basicWithImages()); assertEquals("

\"Image\"

", TextUtil.stripNewlines(cleanHtml)); } @Test public void testRelaxed() { String h = "

Head

OneTwo
"; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("

Head

OneTwo
", TextUtil.stripNewlines(cleanHtml)); } @Test public void testRemoveTags() { String h = "

Nice

Hello
"; String cleanHtml = Jsoup.clean(h, Safelist.basic().removeTags("a")); assertEquals("

Nice

Hello
", TextUtil.stripNewlines(cleanHtml)); } @Test public void testRemoveAttributes() { String h = "

Nice

Hello
"; String cleanHtml = Jsoup.clean(h, Safelist.basic().removeAttributes("blockquote", "cite")); assertEquals("

Nice

Hello
", TextUtil.stripNewlines(cleanHtml)); } @Test void allAttributes() { String h = "

Text

Foo"; Safelist safelist = Safelist.relaxed(); safelist.addAttributes(":all", "class"); safelist.addAttributes("div", "data"); String clean1 = Jsoup.clean(h, safelist); assertEquals("

Text

Foo
", TextUtil.stripNewlines(clean1)); safelist.removeAttributes(":all", "class", "cite"); String clean2 = Jsoup.clean(h, safelist); assertEquals("

Text

Foo
", TextUtil.stripNewlines(clean2)); } @Test void removeProtocols() { String h = "Link"; Safelist safelist = Safelist.relaxed(); String clean1 = Jsoup.clean(h, safelist); assertEquals("Link", clean1); safelist.removeProtocols("a", "href", "ftp", "http", "https", "mailto"); String clean2 = Jsoup.clean(h, safelist); // all removed means any will work assertEquals("Link", clean2); } @Test public void testRemoveEnforcedAttributes() { String h = "

Nice

Hello
"; String cleanHtml = Jsoup.clean(h, Safelist.basic().removeEnforcedAttribute("a", "rel")); assertEquals("

Nice

Hello
", TextUtil.stripNewlines(cleanHtml)); } @Test public void testRemoveProtocols() { String h = "

Contact me here

"; String cleanHtml = Jsoup.clean(h, Safelist.basic().removeProtocols("a", "href", "ftp", "mailto")); assertEquals("

Contact me here

", TextUtil.stripNewlines(cleanHtml)); } @MultiLocaleTest public void safeListedProtocolShouldBeRetained(Locale locale) { Locale.setDefault(locale); Safelist safelist = Safelist.none() .addTags("a") .addAttributes("a", "href") .addProtocols("a", "href", "something"); String cleanHtml = Jsoup.clean("", safelist); assertEquals("", TextUtil.stripNewlines(cleanHtml)); } @Test public void testDropComments() { String h = "

Hello

"; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("

Hello

", cleanHtml); } @Test public void testDropXmlProc() { String h = "

Hello

"; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("

Hello

", cleanHtml); } @Test public void testDropScript() { String h = ""; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("", cleanHtml); } @Test public void testDropImageScript() { String h = ""; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("", cleanHtml); } @Test public void testCleanJavascriptHref() { String h = "XSS"; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("XSS", cleanHtml); } @Test public void testCleanAnchorProtocol() { String validAnchor = "Valid anchor"; String invalidAnchor = "Invalid anchor"; // A Safelist that does not allow anchors will strip them out. String cleanHtml = Jsoup.clean(validAnchor, Safelist.relaxed()); assertEquals("Valid anchor", cleanHtml); cleanHtml = Jsoup.clean(invalidAnchor, Safelist.relaxed()); assertEquals("Invalid anchor", cleanHtml); // A Safelist that allows them will keep them. Safelist relaxedWithAnchor = Safelist.relaxed().addProtocols("a", "href", "#"); cleanHtml = Jsoup.clean(validAnchor, relaxedWithAnchor); assertEquals(validAnchor, cleanHtml); // An invalid anchor is never valid. cleanHtml = Jsoup.clean(invalidAnchor, relaxedWithAnchor); assertEquals("Invalid anchor", cleanHtml); } @Test public void testDropsUnknownTags() { String h = "

Test

"; String cleanHtml = Jsoup.clean(h, Safelist.relaxed()); assertEquals("

Test

", cleanHtml); } @Test public void testHandlesEmptyAttributes() { String h = "\"\""; String cleanHtml = Jsoup.clean(h, Safelist.basicWithImages()); assertEquals("\"\"", cleanHtml); } @Test public void testIsValidBodyHtml() { String ok = "

Test OK

"; String ok1 = "

Test OK

"; // missing enforced is OK because still needs run thru cleaner String nok1 = "

Not OK

"; String nok2 = "

Test Not OK

"; String nok3 = "

Not OK

"; // comments and the like will be cleaned String nok4 = "FooOK"; // not body html String nok5 = "

Test OK

"; String nok6 = "

Test OK

"; // missing close tag String nok7 = "
What"; assertTrue(Jsoup.isValid(ok, Safelist.basic())); assertTrue(Jsoup.isValid(ok1, Safelist.basic())); assertFalse(Jsoup.isValid(nok1, Safelist.basic())); assertFalse(Jsoup.isValid(nok2, Safelist.basic())); assertFalse(Jsoup.isValid(nok3, Safelist.basic())); assertFalse(Jsoup.isValid(nok4, Safelist.basic())); assertFalse(Jsoup.isValid(nok5, Safelist.basic())); assertFalse(Jsoup.isValid(nok6, Safelist.basic())); assertFalse(Jsoup.isValid(ok, Safelist.none())); assertFalse(Jsoup.isValid(nok7, Safelist.basic())); } @Test public void testIsValidDocument() { String ok = "

Hello

"; String nok = "Hello

Hello

"; Safelist relaxed = Safelist.relaxed(); Cleaner cleaner = new Cleaner(relaxed); Document okDoc = Jsoup.parse(ok); assertTrue(cleaner.isValid(okDoc)); assertFalse(cleaner.isValid(Jsoup.parse(nok))); assertFalse(new Cleaner(Safelist.none()).isValid(okDoc)); } @Test public void resolvesRelativeLinks() { String html = "Link"; String clean = Jsoup.clean(html, "http://example.com/", Safelist.basicWithImages()); assertEquals("Link", clean); } @Test public void preservesRelativeLinksIfConfigured() { String html = "Link "; String clean = Jsoup.clean(html, "http://example.com/", Safelist.basicWithImages().preserveRelativeLinks(true)); assertEquals("Link ", clean); } @Test public void dropsUnresolvableRelativeLinks() { String html = "Link"; String clean = Jsoup.clean(html, Safelist.basic()); assertEquals("Link", clean); } @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksEnabled() { Safelist safelist = Safelist.basic().preserveRelativeLinks(true); String html = "Link"; String clean = Jsoup.clean(html, "https://", safelist); assertEquals("Link", clean); String colon = "Link"; String cleanColon = Jsoup.clean(colon, "https://", safelist); assertEquals("Link", cleanColon); } @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksDisabled() { Safelist safelist = Safelist.basic().preserveRelativeLinks(false); String html = "Link"; String clean = Jsoup.clean(html, "https://", safelist); assertEquals("Link", clean); } @Test public void handlesCustomProtocols() { String html = " "; String dropped = Jsoup.clean(html, Safelist.basicWithImages()); assertEquals(" ", dropped); String preserved = Jsoup.clean(html, Safelist.basicWithImages().addProtocols("img", "src", "cid", "data")); assertEquals(" ", preserved); } @Test public void handlesAllPseudoTag() { String html = "

link

"; Safelist safelist = new Safelist() .addAttributes(":all", "class") .addAttributes("p", "style") .addTags("p", "a"); String clean = Jsoup.clean(html, safelist); assertEquals("

link

", clean); } @Test public void addsTagOnAttributesIfNotSet() { String html = "

One

"; Safelist safelist = new Safelist() .addAttributes("p", "class"); // ^^ safelist does not have explicit tag add for p, inferred from add attributes. String clean = Jsoup.clean(html, safelist); assertEquals("

One

", clean); } @Test public void supplyOutputSettings() { // test that one can override the default document output settings Document.OutputSettings os = new Document.OutputSettings(); os.prettyPrint(false); os.escapeMode(Entities.EscapeMode.extended); os.charset("ascii"); String html = "

"; String customOut = Jsoup.clean(html, "http://foo.com/", Safelist.relaxed(), os); String defaultOut = Jsoup.clean(html, "http://foo.com/", Safelist.relaxed()); assertNotSame(defaultOut, customOut); assertEquals("

", customOut); // entities now prefers shorted names if aliased assertEquals("
\n" + "

\n" + "
", defaultOut); os.charset("ASCII"); os.escapeMode(Entities.EscapeMode.base); String customOut2 = Jsoup.clean(html, "http://foo.com/", Safelist.relaxed(), os); assertEquals("

", customOut2); } @Test public void handlesFramesets() { String dirty = ""; String clean = Jsoup.clean(dirty, Safelist.basic()); assertEquals("", clean); // nothing good can come out of that Document dirtyDoc = Jsoup.parse(dirty); Document cleanDoc = new Cleaner(Safelist.basic()).clean(dirtyDoc); assertNotNull(cleanDoc); assertEquals(0, cleanDoc.body().childNodeSize()); } @Test public void cleansInternationalText() { assertEquals("привет", Jsoup.clean("привет", Safelist.none())); } @Test public void testScriptTagInSafeList() { Safelist safelist = Safelist.relaxed(); safelist.addTags( "script" ); assertTrue( Jsoup.isValid("HelloWorld !", safelist) ); } @Test public void bailsIfRemovingProtocolThatsNotSet() { assertThrows(IllegalArgumentException.class, () -> { // a case that came up on the email list Safelist w = Safelist.none(); // note no add tag, and removing protocol without adding first w.addAttributes("a", "href"); w.removeProtocols("a", "href", "javascript"); // with no protocols enforced, this was a noop. Now validates. }); } @Test public void handlesControlCharactersAfterTagName() { String html = ""; String clean = Jsoup.clean(html, Safelist.basic()); assertEquals("", clean); } @Test public void handlesAttributesWithNoValue() { // https://github.com/jhy/jsoup/issues/973 String clean = Jsoup.clean("Clean", Safelist.basic()); assertEquals("Clean", clean); } @Test public void handlesNoHrefAttribute() { String dirty = "One Two"; Safelist relaxedWithAnchor = Safelist.relaxed().addProtocols("a", "href", "#"); String clean = Jsoup.clean(dirty, relaxedWithAnchor); assertEquals("One Two", clean); } @Test public void handlesNestedQuotesInAttribute() { // https://github.com/jhy/jsoup/issues/1243 - no repro String orig = "
Will (not) fail
"; Safelist allow = Safelist.relaxed() .addAttributes("div", "style"); String clean = Jsoup.clean(orig, allow); boolean isValid = Jsoup.isValid(orig, allow); assertEquals(orig, TextUtil.stripNewlines(clean)); // only difference is pretty print wrap & indent assertTrue(isValid); } @Test public void copiesOutputSettings() { Document orig = Jsoup.parse("

test

"); orig.outputSettings().syntax(Document.OutputSettings.Syntax.xml); orig.outputSettings().escapeMode(Entities.EscapeMode.xhtml); Safelist safelist = Safelist.none().addTags("p", "br"); Document result = new Cleaner(safelist).clean(orig); assertEquals(Document.OutputSettings.Syntax.xml, result.outputSettings().syntax()); assertEquals("

test

", result.body().html()); } @Test void preservesSourcePositionViaUserData() { Document orig = Jsoup.parse("\n

Hello

", Parser.htmlParser().setTrackPosition(true)); Element p = orig.expectFirst("p"); Range origRange = p.sourceRange(); assertEquals("2,2:22-2,10:30", origRange.toString()); Range.AttributeRange attributeRange = p.attributes().sourceRange("id"); assertEquals("2,5:25-2,7:27=2,8:28-2,9:29", attributeRange.toString()); Document clean = new Cleaner(Safelist.relaxed().addAttributes("p", "id")).clean(orig); Element cleanP = clean.expectFirst("p"); assertEquals("1", cleanP.id()); Range cleanRange = cleanP.sourceRange(); assertEquals(origRange, cleanRange); assertEquals(orig.endSourceRange(), clean.endSourceRange()); assertEquals(attributeRange, cleanP.attributes().sourceRange("id")); } @ParameterizedTest @ValueSource(booleans = {true, false}) void cleansCaseSensitiveElements(boolean preserveCase) { // https://github.com/jhy/jsoup/issues/2049 String html = ""; String[] tags = {"svg", "feMerge", "feMergeNode", "clipPath"}; String[] attrs = {"kernelMatrix", "baseFrequency"}; if (!preserveCase) { tags = Arrays.stream(tags).map(String::toLowerCase).toArray(String[]::new); attrs = Arrays.stream(attrs).map(String::toLowerCase).toArray(String[]::new); } Safelist safelist = Safelist.none().addTags(tags).addAttributes(":all", attrs); String clean = Jsoup.clean(html, safelist); String expected = "\n" + " \n" + " \n" + " \n" + " \n" + " \n" + " \n" + " \n" + ""; assertEquals(expected, clean); } }