2019-11-07 10:34:28 -03:00
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
2022-11-27 13:20:29 -05:00
|
|
|
// SPDX-License-Identifier: MIT
|
2019-11-07 10:34:28 -03:00
|
|
|
|
|
|
|
package templates
|
|
|
|
|
|
|
|
import (
|
2024-02-25 18:45:56 +08:00
|
|
|
"html/template"
|
2024-06-11 22:52:12 +08:00
|
|
|
"strings"
|
2019-11-07 10:34:28 -03:00
|
|
|
"testing"
|
|
|
|
|
2024-12-22 23:33:19 +08:00
|
|
|
"code.gitea.io/gitea/modules/htmlutil"
|
2024-06-11 22:52:12 +08:00
|
|
|
"code.gitea.io/gitea/modules/util"
|
|
|
|
|
2019-11-07 10:34:28 -03:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSubjectBodySeparator(t *testing.T) {
|
|
|
|
test := func(input, subject, body string) {
|
|
|
|
loc := mailSubjectSplit.FindIndex([]byte(input))
|
|
|
|
if loc == nil {
|
|
|
|
assert.Empty(t, subject, "no subject found, but one expected")
|
|
|
|
assert.Equal(t, body, input)
|
|
|
|
} else {
|
2022-06-20 12:02:49 +02:00
|
|
|
assert.Equal(t, subject, input[0:loc[0]])
|
|
|
|
assert.Equal(t, body, input[loc[1]:])
|
2019-11-07 10:34:28 -03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
test("Simple\n---------------\nCase",
|
|
|
|
"Simple\n",
|
|
|
|
"\nCase")
|
|
|
|
test("Only\nBody",
|
|
|
|
"",
|
|
|
|
"Only\nBody")
|
|
|
|
test("Minimal\n---\nseparator",
|
|
|
|
"Minimal\n",
|
|
|
|
"\nseparator")
|
|
|
|
test("False --- separator",
|
|
|
|
"",
|
|
|
|
"False --- separator")
|
|
|
|
test("False\n--- separator",
|
|
|
|
"",
|
|
|
|
"False\n--- separator")
|
|
|
|
test("False ---\nseparator",
|
|
|
|
"",
|
|
|
|
"False ---\nseparator")
|
|
|
|
test("With extra spaces\n----- \t \nBody",
|
|
|
|
"With extra spaces\n",
|
|
|
|
"\nBody")
|
|
|
|
test("With leading spaces\n -------\nOnly body",
|
|
|
|
"",
|
|
|
|
"With leading spaces\n -------\nOnly body")
|
|
|
|
test("Multiple\n---\n-------\n---\nSeparators",
|
|
|
|
"Multiple\n",
|
|
|
|
"\n-------\n---\nSeparators")
|
2024-04-27 10:03:49 +02:00
|
|
|
test("Insufficient\n--\nSeparators",
|
2019-11-07 10:34:28 -03:00
|
|
|
"",
|
2024-04-27 10:03:49 +02:00
|
|
|
"Insufficient\n--\nSeparators")
|
2019-11-07 10:34:28 -03:00
|
|
|
}
|
2024-02-18 17:52:02 +08:00
|
|
|
|
|
|
|
func TestJSEscapeSafe(t *testing.T) {
|
2024-06-19 06:32:45 +08:00
|
|
|
assert.EqualValues(t, `\u0026\u003C\u003E\'\"`, jsEscapeSafe(`&<>'"`))
|
2024-02-18 17:52:02 +08:00
|
|
|
}
|
2024-02-25 18:45:56 +08:00
|
|
|
|
2024-03-01 18:16:19 +08:00
|
|
|
func TestSanitizeHTML(t *testing.T) {
|
|
|
|
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))
|
|
|
|
}
|
2024-06-11 21:07:10 +08:00
|
|
|
|
2024-12-22 23:33:19 +08:00
|
|
|
func TestTemplateIif(t *testing.T) {
|
2024-06-11 22:52:12 +08:00
|
|
|
tmpl := template.New("test")
|
2024-06-19 06:32:45 +08:00
|
|
|
tmpl.Funcs(template.FuncMap{"Iif": iif})
|
2024-06-11 22:52:12 +08:00
|
|
|
template.Must(tmpl.Parse(`{{if .Value}}true{{else}}false{{end}}:{{Iif .Value "true" "false"}}`))
|
|
|
|
|
2024-12-22 23:33:19 +08:00
|
|
|
cases := []any{nil, false, true, "", "string", 0, 1}
|
2024-06-11 22:52:12 +08:00
|
|
|
w := &strings.Builder{}
|
|
|
|
truthyCount := 0
|
|
|
|
for i, v := range cases {
|
|
|
|
w.Reset()
|
|
|
|
assert.NoError(t, tmpl.Execute(w, struct{ Value any }{v}), "case %d (%T) %#v fails", i, v, v)
|
|
|
|
out := w.String()
|
|
|
|
truthyCount += util.Iif(out == "true:true", 1, 0)
|
|
|
|
truthyMatches := out == "true:true" || out == "false:false"
|
|
|
|
assert.True(t, truthyMatches, "case %d (%T) %#v fail: %s", i, v, v, out)
|
|
|
|
}
|
|
|
|
assert.True(t, truthyCount != 0 && truthyCount != len(cases))
|
2024-06-11 21:07:10 +08:00
|
|
|
}
|
2024-12-22 23:33:19 +08:00
|
|
|
|
|
|
|
func TestTemplateEscape(t *testing.T) {
|
|
|
|
execTmpl := func(code string) string {
|
|
|
|
tmpl := template.New("test")
|
|
|
|
tmpl.Funcs(template.FuncMap{"QueryBuild": QueryBuild, "HTMLFormat": htmlutil.HTMLFormat})
|
|
|
|
template.Must(tmpl.Parse(code))
|
|
|
|
w := &strings.Builder{}
|
|
|
|
assert.NoError(t, tmpl.Execute(w, nil))
|
|
|
|
return w.String()
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("Golang URL Escape", func(t *testing.T) {
|
|
|
|
// Golang template considers "href", "*src*", "*uri*", "*url*" (and more) ... attributes as contentTypeURL and does auto-escaping
|
|
|
|
actual := execTmpl(`<a href="?a={{"%"}}"></a>`)
|
|
|
|
assert.Equal(t, `<a href="?a=%25"></a>`, actual)
|
|
|
|
actual = execTmpl(`<a data-xxx-url="?a={{"%"}}"></a>`)
|
|
|
|
assert.Equal(t, `<a data-xxx-url="?a=%25"></a>`, actual)
|
|
|
|
})
|
|
|
|
t.Run("Golang URL No-escape", func(t *testing.T) {
|
|
|
|
// non-URL content isn't auto-escaped
|
|
|
|
actual := execTmpl(`<a data-link="?a={{"%"}}"></a>`)
|
|
|
|
assert.Equal(t, `<a data-link="?a=%"></a>`, actual)
|
|
|
|
})
|
|
|
|
t.Run("QueryBuild", func(t *testing.T) {
|
|
|
|
actual := execTmpl(`<a href="{{QueryBuild "?" "a" "%"}}"></a>`)
|
|
|
|
assert.Equal(t, `<a href="?a=%25"></a>`, actual)
|
|
|
|
actual = execTmpl(`<a href="?{{QueryBuild "a" "%"}}"></a>`)
|
|
|
|
assert.Equal(t, `<a href="?a=%25"></a>`, actual)
|
|
|
|
})
|
|
|
|
t.Run("HTMLFormat", func(t *testing.T) {
|
|
|
|
actual := execTmpl("{{HTMLFormat `<a k=\"%s\">%s</a>` `\"` `<>`}}")
|
|
|
|
assert.Equal(t, `<a k="""><></a>`, actual)
|
|
|
|
})
|
|
|
|
}
|