TestRun_EventHandlerAttrBlocked verifies on*-handlers (onclick etc.) are stripped — they are an event-handler injection vector.
(t *testing.T)
| 220 | // TestRun_EventHandlerAttrBlocked verifies on*-handlers (onclick etc.) are |
| 221 | // stripped — they are an event-handler injection vector. |
| 222 | func TestRun_EventHandlerAttrBlocked(t *testing.T) { |
| 223 | rep := Run(`<p onclick="alert(1)" id="ok">x</p>`, Options{}) |
| 224 | if len(rep.Blocked) != 1 { |
| 225 | t.Fatalf("expected 1 blocked finding, got %d", len(rep.Blocked)) |
| 226 | } |
| 227 | if rep.Blocked[0].RuleID != RuleAttrEventHandlerBlocked { |
| 228 | t.Errorf("rule = %s, want %s", rep.Blocked[0].RuleID, RuleAttrEventHandlerBlocked) |
| 229 | } |
| 230 | if strings.Contains(rep.CleanedHTML, "onclick") { |
| 231 | t.Errorf("onclick should be stripped, cleaned=%q", rep.CleanedHTML) |
| 232 | } |
| 233 | if !strings.Contains(rep.CleanedHTML, `id="ok"`) { |
| 234 | t.Errorf("non-handler attrs should survive, cleaned=%q", rep.CleanedHTML) |
| 235 | } |
| 236 | } |
| 237 | |
| 238 | // TestRun_OnErrorAttrBlocked tests one of the more common XSS vectors. |
| 239 | func TestRun_OnErrorAttrBlocked(t *testing.T) { |