Merge pull request #4 from JuliaComputing/sp/gumbo0.8

gumbo 0.8 compat

Author: pfitzseb

.travis.yml

@@ -4,7 +4,6 @@ os:
   - linux
   - osx
 julia:
-  - 1.0
   - 1.3
   - nightly
 matrix:

Project.toml

@@ -8,7 +8,7 @@ Gumbo = "708ec375-b3d6-5a57-a7ce-8257bf98657a"
 
 [compat]
 julia = "1"
-Gumbo = "0.7"
+Gumbo = "0.8"
 
 [extras]
 Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"

src/HTMLSanitizer.jl

@@ -127,7 +127,13 @@ end
 # 2. starts with `//` (protocol-relative).
 # 3. starts with `../`/`./` (relative directory traversal)
 # 4. doesn't start with either of the above and doesn't start with a protocol (e.g. `foo/bar.html`)
-is_relative_url(url) = occursin(r"\.?\.?//?"i, url) || !occursin(r"^\w+://"i, url)
+function is_relative_url(url)
+    if occursin(r"^\.?\.?//?"i, url)
+        return true
+    else
+        return !occursin(r"^\w+://"i, url)
+    end
+end
 
 """
 Default whitelist. Allows many elements and attributes, but crucially removes `<script>` elements

test/malicious_html.jl

@@ -23,42 +23,42 @@
 
   @testset "<img>" begin
     @testset "should not be possible to inject JS via an unquoted <img> src attribute" begin
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=javascript:alert('XSS')>""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=javascript:alert('XSS')>""")
     end
 
     @testset "should not be possible to inject JS using grave accents as <img> src delimiters" begin
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=`javascript:alert('XSS')`>""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=`javascript:alert('XSS')`>""")
     end
 
     @testset "should not be possible to inject <script> via a malformed <img> tag" begin
-      @test """<img></img>">""" == HTMLSanitizer.sanitize("""<img \"\"\"><script>alert("XSS")</script>">""")
+      @test """<img/>\"&gt;""" == HTMLSanitizer.sanitize("""<img \"\"\"><script>alert("XSS")</script>">""")
     end
 
     @testset "should not be possible to inject protocol-based JS" begin
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>""")
 
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>""")
 
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>""")
 
       # Encoded tab character.
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src="jav&#x09;ascript:alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src="jav&#x09;ascript:alert('XSS');">""")
 
       # Encoded newline.
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src="jav&#x0A;ascript:alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src="jav&#x0A;ascript:alert('XSS');">""")
 
       # Encoded carriage return.
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src="jav&#x0D;ascript:alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src="jav&#x0D;ascript:alert('XSS');">""")
 
       # Spaces plus meta char.
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src=" &#14;  javascript:alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src=" &#14;  javascript:alert('XSS');">""")
 
       # Mixed spaces and tabs.
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src="j\na v\tascript://alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src="j\na v\tascript://alert('XSS');">""")
     end
 
     @testset "should not be possible to inject protocol-based JS via whitespace" begin
-      @test "<img></img>" == HTMLSanitizer.sanitize("""<img src="jav\tascript:alert('XSS');">""")
+      @test "<img/>" == HTMLSanitizer.sanitize("""<img src="jav\tascript:alert('XSS');">""")
     end
 
     @testset "should not be possible to inject JS using a half-open <img> tag" begin

test/runtests.jl

@@ -47,15 +47,15 @@ using Test
   end
 
   @testset "test_whitelisted_longdesc_schemes_are_allowed" begin
-    stuff = """<img longdesc="http://longdesc.com" src="./foo.jpg"></img>"""
+    stuff = """<img longdesc="http://longdesc.com" src="./foo.jpg"/>"""
     html  = HTMLSanitizer.sanitize(stuff)
     @test stuff == html
   end
 
   @testset "test_weird_longdesc_schemes_are_removed" begin
-    stuff = """<img src="./foo.jpg" longdesc="javascript:alert(1)"></img>"""
+    stuff = """<img src="./foo.jpg" longdesc="javascript:alert(1)"/>"""
     html  = HTMLSanitizer.sanitize(stuff)
-    @test """<img src="./foo.jpg"></img>""" == html
+    @test """<img src="./foo.jpg"/>""" == html
   end
 
   @testset "test_standard_schemes_are_removed_if_not_specified_in_anchor_schemes" begin
@@ -153,30 +153,30 @@ end
 
 @testset "urls" begin
   @testset "relative" begin
-    orig = """<img src="foo/bar.html"></img>"""
+    orig = """<img src="foo/bar.html"/>"""
     @test sanitize(orig) == orig
 
-    orig = """<img src="/foo/bar.html"></img>"""
+    orig = """<img src="/foo/bar.html"/>"""
     @test sanitize(orig) == orig
 
-    orig = """<img src="//foo/bar.html"></img>"""
+    orig = """<img src="//foo/bar.html"/>"""
     @test sanitize(orig) == orig
 
-    orig = """<img src="./foo/bar.html"></img>"""
+    orig = """<img src="./foo/bar.html"/>"""
     @test sanitize(orig) == orig
 
-    orig = """<img src="/asd://foo/bar.html"></img>"""
+    orig = """<img src="/asd://foo/bar.html"/>"""
     @test sanitize(orig) == orig
   end
 
   @testset "protocols" begin
-    orig = """<img src="asd://foo/bar.html"></img>"""
-    @test sanitize(orig) == "<img></img>"
+    orig = """<img src="asd://foo/bar.html"/>"""
+    @test sanitize(orig) == "<img/>"
 
-    orig = """<img src="http://foo/bar.html"></img>"""
+    orig = """<img src="http://foo/bar.html"/>"""
     @test sanitize(orig) == orig
 
-    orig = """<img src="https://foo/bar.html"></img>"""
+    orig = """<img src="https://foo/bar.html"/>"""
     @test sanitize(orig) == orig
   end
 end
@@ -186,4 +186,15 @@ end
   sanitize(html) == read(joinpath(@__DIR__, "testhtml_out.html"), String)
 end
 
+@testset "relative urls" begin
+  @test HTMLSanitizer.is_relative_url("/foo")
+  @test HTMLSanitizer.is_relative_url("//foo")
+  @test HTMLSanitizer.is_relative_url("./foo")
+  @test HTMLSanitizer.is_relative_url("../foo")
+  @test HTMLSanitizer.is_relative_url("foo")
+  @test !HTMLSanitizer.is_relative_url("https://foo")
+  @test !HTMLSanitizer.is_relative_url("http://foo")
+  @test !HTMLSanitizer.is_relative_url("bar://foo")
+end
+
 include("malicious_html.jl")