Increase test coverage

Signed-off-by: Sven Strickroth <email@cs-ware.de>

Author: csware

src/main/java/org/owasp/html/CssSchema.java

@@ -164,15 +164,16 @@ public static CssSchema withProperties(
     Map<String, Property> propertyMap =
         new HashMap<>();
     // check that all fnKeys are defined in properties.
-    for (Map.Entry<String, Property> e : propertyMap.entrySet()) {
+    for (Map.Entry<? extends String, ? extends Property> e : properties.entrySet()) {
       Property property = e.getValue();
       for (String fnKey : property.fnKeys.values()) {
-        if (!propertyMap.containsKey(fnKey)) {
+        if (!properties.containsKey(fnKey)) {
           throw new IllegalArgumentException(
               "Property map is not self contained.  " + e.getValue()
               + " depends on undefined function key " + fnKey);
         }
       }
+      propertyMap.put(e.getKey(), e.getValue());
     }
     return new CssSchema(Map.copyOf(propertyMap));
   }

src/test/java/org/owasp/html/CssSchemaTest.java

@@ -55,6 +55,9 @@ public static final void testDangerousProperties() {
           // Prefix corner cases.
           "-",
           "-moz-",
+          "-ms-",
+          "-o-",
+          "-webkit-",
         }) {
       assertSame(key, CssSchema.DISALLOWED, CssSchema.DEFAULT.forKey(key));
     }

src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java

@@ -29,8 +29,10 @@
 package org.owasp.html;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -229,6 +231,96 @@ public static final void testStyleFiltering() {
               .allowStandardUrlProtocols()));
   }
 
+  @Test
+  public void testSpecificStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align", "font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
+  @Test
+  public void testUnionStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p style=\"color:red\">Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(CssSchema.withProperties(
+                  List.of("color", "text-align")))
+              .allowStyling( // union allowed style properties
+                   CssSchema.withProperties(List.of("font-size")))
+              .allowStandardUrlProtocols()));
+  }
+
+  @Test
+  public void testCustomPropertyStyleFilterung() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p style=\"text-align:center\">Stylish Para 1</p>",
+            "<p>Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(
+                  CssSchema.withProperties(
+                      Map.of("text-align",
+                          new CssSchema.Property(0,
+                              Set.of("center"),
+                              Collections.emptyMap()))))
+              .allowStandardUrlProtocols()));
+  }
+
+  @Test
+  public void testCustomPropertyStyleFilterungDisallowed() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "<h1>Header</h1>",
+            "<p>Paragraph 1</p>",
+            "<p>Click me out</p>",
+            "<p></p>",
+            "<p><b>Fancy</b> with <i><b>soupy</b></i><b> tags</b>.",
+            "</p><p>Stylish Para 1</p>",
+            "<p>Stylish Para 2</p>",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+              .allowCommonInlineFormattingElements()
+              .allowCommonBlockElements()
+              .allowStyling(
+                      CssSchema.withProperties(
+                          Map.of("text-align",
+                              new CssSchema.Property(0,
+                                  Set.of("left", "right"),
+                                  Collections.emptyMap()))))
+              .allowStandardUrlProtocols()));
+  }
+
   @Test
   public static final void testElementTransforming() {
     assertEquals(
@@ -289,6 +381,25 @@ public static final void testAllowUrlProtocols() {
             .allowUrlProtocols("http")));
   }
 
+  @Test
+  public static final void testDisallowUrlProtocols() {
+    assertEquals(
+        Arrays.stream(new String[] {
+            "Header",
+            "Paragraph 1",
+            "Click me out",
+            "<img src=\"canary.png\" alt=\"local-canary\" />",
+            "Fancy with soupy tags.",
+            "Stylish Para 1",
+            "Stylish Para 2",
+            ""}).collect(Collectors.joining("\n")),
+        apply(new HtmlPolicyBuilder()
+            .allowElements("img")
+            .allowAttributes("src", "alt").onElements("img")
+            .allowUrlProtocols("http", "https")
+            .disallowUrlProtocols("http")));
+  }
+
   @Test
   public static final void testPossibleFalloutFromIssue5() {
     assertEquals(
@@ -434,6 +545,55 @@ public static final void testUrlChecksLayer() {
         );
   }
 
+  @Test
+  public static final void testAllowProtocolRelativeUrls() {
+      FilterUrlByProtocolAttributePolicy attributePolicy =
+          new FilterUrlByProtocolAttributePolicy(List.of("http", "https"));
+      attributePolicy.allowProtocolRelativeUrls();
+
+      assertEquals(
+        ""
+                + "Mailto link\n"
+                + "<a href=\"http://example.com/\">Link</a>\n"
+                + "<a href=\"https://example.com/\">Link</a>\n"
+                + "<a href=\"//example.com/\">Link</a>\n",
+        apply(
+            new HtmlPolicyBuilder()
+            .allowElements("a")
+            .allowAttributes("href")
+            .matching(attributePolicy)
+            .onElements("a")
+            .allowUrlProtocols("https", "http"),
+            ""
+            + "<a href=\"mailto:example@example.com/\">Mailto link</a>\n"
+            + "<a href=\"http://example.com/\">Link</a>\n"
+            + "<a href=\"https://example.com/\">Link</a>\n"
+            + "<a href=\"//example.com/\">Link</a>\n"
+            )
+        );
+
+      assertEquals(
+          ""
+                  + "Mailto link\n"
+                  + "Link\n"
+                  + "<a href=\"https://example.com/\">Link</a>\n"
+                  + "Link\n",
+          apply(
+              new HtmlPolicyBuilder()
+              .allowElements("a")
+              .allowAttributes("href")
+              .matching(attributePolicy)
+              .onElements("a")
+              .allowUrlProtocols("https"),
+              ""
+              + "<a href=\"mailto:example@example.com/\">Mailto link</a>\n"
+              + "<a href=\"http://example.com/\">Link</a>\n"
+              + "<a href=\"https://example.com/\">Link</a>\n"
+              + "<a href=\"//example.com/\">Link</a>\n"
+              )
+          );
+  }
+
   @Test
   public static final void testDuplicateAttributesDoNotReachElementPolicy() {
     final int[] idCount = new int[1];
@@ -913,6 +1073,42 @@ public static final void testDirLi() {
             "<dir compact=\"compact\"><li>something</li></dir>"));
   }
 
+  @Test
+  public void testDisallowTextIn() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div")
+        .allowAttributes("style").onElements("div");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals("<div style=\"display:node\">Some Text</div>",
+        allowPolicy.sanitize("<div style=\"display:node\">Some Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowTextIn("div").toFactory();
+    assertEquals("<div style=\"display:node\"></div>",
+        disallowTextPolicy.sanitize(
+            "<div style=\"display:node\">Some Text</div>"));
+  }
+
+  @Test
+  public void testDisallowAttribute() {
+    HtmlPolicyBuilder sharedPolicyBuilder = new HtmlPolicyBuilder()
+        .allowElements("div", "p")
+        .allowAttributes("style").onElements("div", "p");
+
+    PolicyFactory allowPolicy = sharedPolicyBuilder.toFactory();
+    assertEquals(
+        "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>",
+            allowPolicy.sanitize(
+                "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+
+    PolicyFactory disallowTextPolicy =
+        sharedPolicyBuilder.disallowAttributes("style").onElements("p").toFactory();
+    assertEquals("<p>Some</p><div style=\"display:node\">Text</div>",
+        disallowTextPolicy.sanitize(
+            "<p style=\"display:node\">Some</p><div style=\"display:node\">Text</div>"));
+  }
+
   @Test
   public static void testScriptTagWithCommentBlockContainingHtmlCommentEnd() {
     PolicyFactory scriptSanitizer = new HtmlPolicyBuilder()

src/test/java/org/owasp/html/SanitizersTest.java

@@ -157,6 +157,58 @@ public static final void testImages() {
         );
   }
 
+  @Test
+  public static final void testIntegerAttributePolicy() {
+    PolicyFactory s = Sanitizers.IMAGES;
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" height=\"0\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=0 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" height=\"069\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=069 border=0>")
+            );
+
+    assertEquals(
+        "<img src=\"x.png\" alt=\"y\" height=\"64\" border=\"0\" />",
+        s.sanitize(
+            "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=64.43 border=0>")
+        );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=-64 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=\"\" border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=.43 border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=something border=0>")
+            );
+
+    assertEquals(
+            "<img src=\"x.png\" alt=\"y\" border=\"0\" />",
+            s.sanitize(
+                "<img src=\"x.png\" alt=\"y\" width=\"widgy\" height=596thin border=0>")
+            );
+  }
+
   @Test
   public static final void testLinks() {
     PolicyFactory s = Sanitizers.LINKS;