/*
* Copyright 2013 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.google.template.soy.basicdirectives;
import static com.google.common.truth.Truth.assertThat;
import com.google.common.base.Function;
import com.google.common.collect.FluentIterable;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.template.soy.data.SanitizedContent;
import com.google.template.soy.data.SanitizedContent.ContentKind;
import com.google.template.soy.data.SoyValue;
import com.google.template.soy.data.UnsafeSanitizedContentOrdainer;
import com.google.template.soy.data.restricted.StringData;
import com.google.template.soy.jssrc.restricted.JsExpr;
import com.google.template.soy.pysrc.restricted.PyExpr;
import com.google.template.soy.shared.AbstractSoyPrintDirectiveTestCase;
import com.google.template.soy.shared.restricted.TagWhitelist.OptionalSafeTag;
/**
* Unit tests for {@link CleanHtmlDirective}.
*/
public class CleanHtmlDirectiveTest extends AbstractSoyPrintDirectiveTestCase {
public void testApplyForTofu() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
assertTofuOutput(sanitizedHtml("boo hoo"), "boo hoo", cleanHtml);
assertTofuOutput(sanitizedHtml("3 < 5"), "3 < 5", cleanHtml);
assertTofuOutput(sanitizedHtml(""), "", cleanHtml);
// Known safe content is preserved.
assertTofuOutput(sanitizedHtml(""),
sanitizedHtml(""), cleanHtml);
// Entities are preserved
assertTofuOutput(sanitizedHtml(" "), " ", cleanHtml);
// Safe tags are preserved. Others are not.
assertTofuOutput(
sanitizedHtml("Hello, World!"), "Hello, World!", cleanHtml);
}
public void testApplyForTofu_optionalSafeTags() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
// All possible OptionalSafeTags.
Object[] optionalSafeTagsAsArgs =
FluentIterable.from(ImmutableSet.copyOf(OptionalSafeTag.values()))
.transform(OptionalSafeTag.TO_TAG_NAME)
.toArray(String.class);
// Safe tags are preserved. Others are not.
assertTofuOutput(
sanitizedHtml("Hello,
Worrell!
"),
"Hello,
Worrell!
",
cleanHtml,
optionalSafeTagsAsArgs);
// Only the specified optional safe tags are preserved.
assertTofuOutput(
sanitizedHtml("Hello, Worrell!"),
"Hello,
Worrell!
",
cleanHtml,
"span");
try {
cleanHtml.applyForJava(
StringData.forValue("test"),
ImmutableList.of(StringData.forValue("unsupported")));
fail();
} catch (IllegalArgumentException e) {
// Test passes.
}
}
public void testApplyForJsSrc() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
JsExpr dataRef = new JsExpr("opt_data.myKey", Integer.MAX_VALUE);
assertThat(cleanHtml.applyForJsSrc(dataRef, ImmutableList.of()).getText())
.isEqualTo("soy.$$cleanHtml(opt_data.myKey)");
}
public void testApplyForJsSrc_optionalSafeTags() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
JsExpr dataRef = new JsExpr("opt_data.myKey", Integer.MAX_VALUE);
// All possible OptionalSafeTags.
ImmutableList optionalSafeTagsAsJsExprs =
FluentIterable.from(ImmutableSet.copyOf(OptionalSafeTag.values()))
.transform(OptionalSafeTag.TO_TAG_NAME)
.transform(STRING_TO_JS_EXPR).toList();
assertThat(cleanHtml.applyForJsSrc(dataRef, optionalSafeTagsAsJsExprs).getText())
.isEqualTo("soy.$$cleanHtml(opt_data.myKey, ['li', 'ol', 'span', 'ul'])");
// Only the specified optional safe tags are passed to $$cleanHtml.
assertThat(
cleanHtml.applyForJsSrc(dataRef, ImmutableList.of(new JsExpr("'span'", Integer.MAX_VALUE)))
.getText()).isEqualTo("soy.$$cleanHtml(opt_data.myKey, ['span'])");
// Invalid optional safe tags.
try {
cleanHtml.applyForJsSrc(
dataRef, ImmutableList.of(new JsExpr("'unsupported'", Integer.MAX_VALUE)));
fail();
} catch (IllegalArgumentException e) {
// Test passes.
}
try {
cleanHtml.applyForJsSrc(
dataRef, ImmutableList.of(new JsExpr("'li, ul'", Integer.MAX_VALUE)));
fail();
} catch (IllegalArgumentException e) {
// Test passes.
}
// Invalid parameter syntax.
try {
cleanHtml.applyForJsSrc(
dataRef, ImmutableList.of(new JsExpr("$myExtraSafeTags", Integer.MAX_VALUE)));
fail();
} catch (IllegalArgumentException e) {
assertThat(e).hasMessage("The cleanHtml directive expects arguments to be tag name string "
+ "literals, such as 'span'. Encountered: $myExtraSafeTags");
}
}
public void testApplyForPySrc() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
PyExpr data = new PyExpr("'data'", Integer.MAX_VALUE);
assertThat(cleanHtml.applyForPySrc(data, ImmutableList.of()).getText())
.isEqualTo("sanitize.clean_html('data')");
}
public void testApplyForPySrc_optionalSafeTags() {
CleanHtmlDirective cleanHtml = new CleanHtmlDirective();
PyExpr data = new PyExpr("'data'", Integer.MAX_VALUE);
// All possible OptionalSafeTags.
ImmutableList optionalSafeTagsAsPyExprs =
FluentIterable.from(ImmutableSet.copyOf(OptionalSafeTag.values()))
.transform(OptionalSafeTag.TO_TAG_NAME)
.transform(STRING_TO_PY_EXPR)
.toList();
assertThat(cleanHtml.applyForPySrc(data, optionalSafeTagsAsPyExprs).getText())
.isEqualTo("sanitize.clean_html('data', ['li', 'ol', 'span', 'ul'])");
// Only the specified optional safe tags are passed to $$cleanHtml.
PyExpr span = new PyExpr("'span'", Integer.MAX_VALUE);
assertThat(cleanHtml.applyForPySrc(data, ImmutableList.of(span)).getText())
.isEqualTo("sanitize.clean_html('data', ['span'])");
// Invalid optional safe tags.
try {
PyExpr unsupported = new PyExpr("'unsupported'", Integer.MAX_VALUE);
cleanHtml.applyForPySrc(data, ImmutableList.of(unsupported));
fail("Non-whitelisted tag allowed to be sent as a safe-tag to 'clean_html'.");
} catch (IllegalArgumentException e) {
// Test passes.
}
try {
cleanHtml.applyForPySrc(data, ImmutableList.of(new PyExpr("'li, ul'", Integer.MAX_VALUE)));
fail("Invalid format allowed to be used as a safe-tag in 'clean_html'");
} catch (IllegalArgumentException e) {
// Test passes.
}
// Invalid parameter syntax.
try {
cleanHtml.applyForPySrc(
data, ImmutableList.of(new PyExpr("$myExtraSafeTags", Integer.MAX_VALUE)));
fail("Non-String allowed to be used as a safe-tag in 'clean_html'");
} catch (IllegalArgumentException e) {
assertThat(e).hasMessage("The cleanHtml directive expects arguments to be tag name string "
+ "literals, such as 'span'. Encountered: $myExtraSafeTags");
}
}
private SanitizedContent sanitizedHtml(String s) {
return UnsafeSanitizedContentOrdainer.ordainAsSafe(s, ContentKind.HTML);
}
private static final Function STRING_TO_JS_EXPR = new Function() {
@Override
public JsExpr apply(String input) {
return new JsExpr(String.format("'%s'", input), Integer.MAX_VALUE);
}
};
private static final Function STRING_TO_PY_EXPR = new Function() {
@Override
public PyExpr apply(String input) {
return new PyExpr(String.format("'%s'", input), Integer.MAX_VALUE);
}
};
}