Adds allowlist for html attrs

2022-02-03 13:15:06 -08:00
parent 3b48d986d5
commit 1f6ecc39ac
2 changed files with 23 additions and 2 deletions
--- a/bookwyrm/tests/test_sanitize_html.py
+++ b/bookwyrm/tests/test_sanitize_html.py
@ -24,13 +24,24 @@ class Sanitizer(TestCase):
        self.assertEqual(input_text, output)

    def test_valid_html_attrs(self):
-        """and don't remove attributes"""
+        """and don't remove useful attributes"""
        input_text = '<a href="fish.com">yes    </a> <i>html</i>'
        parser = InputHtmlParser()
        parser.feed(input_text)
        output = parser.get_output()
        self.assertEqual(input_text, output)

+    def test_valid_html_invalid_attrs(self):
+        """do remove un-approved attributes"""
+        input_text = '<a href="fish.com" fish="hello">yes    </a> <i>html</i>'
+        parser = InputHtmlParser()
+        parser.feed(input_text)
+        output = parser.get_output()
+        self.assertEqual(
+            output,
+            '<a href="fish.com">yes    </a> <i>html</i>'
+        )
+
    def test_invalid_html(self):
        """remove all html when the html is malformed"""
        input_text = "<b>yes  <i>html</i>"