1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
// Copyright 2020 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package app
import (
"testing"
"github.com/stretchr/testify/assert"
)
func Test_ipynbSanitizer(t *testing.T) {
p := ipynbSanitizer()
tests := []struct {
name string
input string
want string
}{
{
name: "allow 'class' and 'data-prompt-number' attributes",
input: `
<div class="nb-notebook">
<div class="nb-worksheet">
<div class="nb-cell nb-markdown-cell">Hello world</div>
<div class="nb-cell nb-code-cell">
<div class="nb-input" data-prompt-number="4">
</div>
</div>
</div>
</div>
`,
want: `
<div class="nb-notebook">
<div class="nb-worksheet">
<div class="nb-cell nb-markdown-cell">Hello world</div>
<div class="nb-cell nb-code-cell">
<div class="nb-input" data-prompt-number="4">
</div>
</div>
</div>
</div>
`,
},
{
name: "allow base64 encoded images",
input: `
<div class="nb-output" data-prompt-number="4">
<img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
</div>
`,
want: `
<div class="nb-output" data-prompt-number="4">
<img class="nb-image-output" src="data:image/png;base64,iVBORw0KGgoA"/>
</div>
`,
},
{
name: "prevent XSS",
input: `
<div class="nb-output" data-prompt-number="10">
<div class="nb-html-output">
<style>
.output {
align-items: center;
background: #00ff00;
}
</style>
<script>
function test() {
alert("test");
}
$(document).ready(test);
</script>
</div>
</div>
`,
want: `
<div class="nb-output" data-prompt-number="10">
<div class="nb-html-output">
</div>
</div>
`,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
assert.Equal(t, test.want, p.Sanitize(test.input))
})
}
}
|