===================================================================== URL scheme allow-list. ===================================================================== TestRun_JavaScriptURLBlocked verifies javascript: hrefs are stripped.
(t *testing.T)
| 255 | |
| 256 | // TestRun_JavaScriptURLBlocked verifies javascript: hrefs are stripped. |
| 257 | func TestRun_JavaScriptURLBlocked(t *testing.T) { |
| 258 | rep := Run(`<a href="javascript:alert(1)">click</a>`, Options{}) |
| 259 | hasErr := false |
| 260 | for _, f := range rep.Blocked { |
| 261 | if f.RuleID == RuleAttrJSURLBlocked { |
| 262 | hasErr = true |
| 263 | } |
| 264 | } |
| 265 | if !hasErr { |
| 266 | t.Errorf("javascript: URL should fire ATTR_JS_URL_BLOCKED, got %+v", rep.Blocked) |
| 267 | } |
| 268 | if strings.Contains(rep.CleanedHTML, "javascript:") { |
| 269 | t.Errorf("javascript: should be stripped, cleaned=%q", rep.CleanedHTML) |
| 270 | } |
| 271 | } |
| 272 | |
| 273 | // TestRun_VBScriptURLBlocked verifies vbscript: is rejected. |
| 274 | func TestRun_VBScriptURLBlocked(t *testing.T) { |