Skip to content

Commit

Permalink
Merge pull request #199 from flavorjones/flavorjones-skip-nokogiri-pa…
Browse files Browse the repository at this point in the history
…tch-tests

avoid testing nokogiri's server-side attribute patch when using system libxml2
  • Loading branch information
rgrove authored Apr 30, 2020
2 parents 245c705 + 21da9b6 commit c90bcb1
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions test/test_malicious_html.rb
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@
# The relevant libxml2 code is here:
# <https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588>
describe 'unsafe libxml2 server-side includes in attributes' do
using_unpatched_libxml2 = Nokogiri::VersionInfo.instance.libxml2_using_system?

tag_configs = [
{
tag_name: 'a',
Expand Down Expand Up @@ -166,6 +168,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]

it 'should escape unsafe characters in attributes' do
skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2

# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).
Expand All @@ -191,6 +195,8 @@
input = %[<#{tag_name} #{attr_name}='examp<!--" onmouseover=alert(1)>-->le.com'>foo</#{tag_name}>]

it 'should not escape characters unnecessarily' do
skip "behavior should only exist in nokogiri's patched libxml" if using_unpatched_libxml2

# This uses Nokogumbo's HTML-compliant serializer rather than
# libxml2's.
@s.fragment(input).
Expand Down

0 comments on commit c90bcb1

Please sign in to comment.