Commit0d43e6a

committed

refactor(editor): adjust xss test && clean up

1 parente8d940e commit0d43e6aCopy full SHA for 0d43e6a

File tree

4 files changed

+46

-25

lines changed

lib/helper/converter/editor_to_html
- index.ex
- validator
  - index.ex
test/helper/converter/editor_to_html_test
- index_test.exs
- list_test.exs

4 files changed

+46

-25

lines changed

`‎lib/helper/converter/editor_to_html/index.ex‎`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -131,9 +131,5 @@ defmodule Helper.Converter.EditorToHTML do`
`131`	`131`	`"<div class=\"#{@clazz.unknow_block}\">[unknow block]</div>"`
`132`	`132`	`end`
`133`	`133`
`134`		`-defpinvalid_hint(part,message)do`
`135`		`-"<div class=\"#{@clazz.invalid_block}\">[invalid-block]#{part}:#{message}</div>"`
`136`		`-end`
`137`		`-`
`138`	`134`	`defstring_to_json(string),do:Jason.decode(string)`
`139`	`135`	`end`

`‎lib/helper/converter/editor_to_html/validator/index.ex‎`

Lines changed: 0 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,18 +64,6 @@ defmodule Helper.Converter.EditorToHTML.Validator do`
`64`	`64`	`validate_with(type,parent_schema,item_schema,data)`
`65`	`65`	`end`
`66`	`66`
`67`		`-defpvalidate_block(%{"type"=>"code"})do`
`68`		`-# schema = %{text: [:string]}`
`69`		`-# case Schema.cast(schema, data) do`
`70`		`-# {:error, errors} ->`
`71`		`-# format_parse_error("paragraph", errors)`
`72`		`-`
`73`		`-# _ ->`
`74`		`-# {:ok, :pass}`
`75`		`-# end`
`76`		`-{:ok,:pass}`
`77`		`-end`
`78`		`-`
`79`	`67`	`defpvalidate_block(%{"type"=>type}),do:raise("undown#{type} block")`
`80`	`68`
`81`	`69`	`defpvalidate_block(e),do:raise("undown block:#{e}")`

`‎test/helper/converter/editor_to_html_test/index_test.exs‎`

Lines changed: 44 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,19 +2,25 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML do`
`2`	`2`	`@moduledocfalse`
`3`	`3`
`4`	`4`	`useGroupherServerWeb.ConnCase,async:true`
	`5`	`+`
	`6`	`+aliasHelper.Metric`
`5`	`7`	`aliasHelper.Converter.EditorToHTML,as:Parser`
`6`	`8`
`7`	`9`	`# alias Helper.Metric`
`8`	`10`	`# @clazz Metric.Article.class_names(:html)`
`9`	`11`
	`12`	`+# "<addr class="cdx-lock">hello</addr> Editor.js <mark class="cdx-marker">workspace</mark>. is an element <script>alert("hello")</script>"`
	`13`	`+`
	`14`	`+# "text" : "<script>evil scripts</script>"`
	`15`	`+@clazzMetric.Article.class_names(:html)`
	`16`	`+`
`10`	`17`	`@real_editor_data~S({`
`11`	`18`	`"time" : 1567250876713,`
`12`	`19`	`"blocks" : [`
`13`	`20`	`{`
`14`		`- "type" : "code",`
	`21`	`+ "type" : "paragraph",`
`15`	`22`	`"data" : {`
`16`		`- "lang" : "js",`
`17`		`- "text" : "<script>evil scripts</script>"`
	`23`	`+ "text": "content"`
`18`	`24`	`}`
`19`	`25`	`}`
`20`	`26`	`],`
`@@ -113,12 +119,43 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML do`
`113`	`119`	`describe"[secure issues]"do`
`114`	`120`	`@tag:wip`
`115`	`121`	`test"code block should avoid potential xss script attack"do`
`116`		`-{:ok,converted}=Parser.to_html(@real_editor_data)`
	`122`	`+editor_json=%{`
	`123`	`+"time"=>1_567_250_876_713,`
	`124`	`+"blocks"=>[`
	`125`	`+%{`
	`126`	`+"type"=>"paragraph",`
	`127`	`+"data"=>%{`
	`128`	`+"text"=>"<script>evel script</script>"`
	`129`	`+}`
	`130`	`+}`
	`131`	`+],`
	`132`	`+"version"=>"2.15.0"`
	`133`	`+}`
	`134`	`+`
	`135`	`+{:ok,editor_string}=Jason.encode(editor_json)`
	`136`	`+{:ok,converted}=Parser.to_html(editor_string)`
	`137`	`+`
	`138`	`+assertconverted==`
	`139`	`+"<div class=\"#{@clazz.viewer}\"><p>evel script</p><div>"`
`117`	`140`
`118`		`-safe_script=`
`119`		`-"<pre><code class=\"lang-js\"><script>evil scripts</script></code></pre>"`
	`141`	`+editor_json=%{`
	`142`	`+"time"=>1_567_250_876_713,`
	`143`	`+"blocks"=>[`
	`144`	`+%{`
	`145`	`+"type"=>"paragraph",`
	`146`	`+"data"=>%{`
	`147`	`+"text"=>"Editor.js is an element <script>evel script</script>"`
	`148`	`+}`
	`149`	`+}`
	`150`	`+],`
	`151`	`+"version"=>"2.15.0"`
	`152`	`+}`
	`153`	`+`
	`154`	`+{:ok,editor_string}=Jason.encode(editor_json)`
	`155`	`+{:ok,converted}=Parser.to_html(editor_string)`
`120`	`156`
`121`		`-assertconverted\|>String.contains?(safe_script)`
	`157`	`+assertconverted==`
	`158`	`+"<div class=\"#{@clazz.viewer}\"><p>Editor.js is an element <script>evel script</script></p><div>"`
`122`	`159`	`end`
`123`	`160`	`end`
`124`	`161`	`end`

`‎test/helper/converter/editor_to_html_test/list_test.exs‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML.List do`
`6`	`6`	`aliasHelper.Metric`
`7`	`7`	`aliasHelper.Converter.EditorToHTML,as:Parser`
`8`	`8`
`9`		`-@clazzMetric.Article.class_names(:html)`
	`9`	`+#@clazz Metric.Article.class_names(:html)`
`10`	`10`
`11`	`11`	`describe"[list block unit]"do`
`12`	`12`	`@editor_json%{`
`@@ -31,7 +31,7 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML.List do`
`31`	`31`	`],`
`32`	`32`	`"version"=>"2.15.0"`
`33`	`33`	`}`
`34`		`-@tag:wip2`
	`34`	`+@tag:wip`
`35`	`35`	`test"valid list parse should work"do`
`36`	`36`	`{:ok,editor_string}=Jason.encode(@editor_json)`
`37`	`37`	`# assert {:ok, converted} = Parser.to_html(editor_string)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0d43e6a

File tree

4 files changed

4 files changed

`‎lib/helper/converter/editor_to_html/index.ex‎`

`‎lib/helper/converter/editor_to_html/validator/index.ex‎`

`‎test/helper/converter/editor_to_html_test/index_test.exs‎`

`‎test/helper/converter/editor_to_html_test/list_test.exs‎`

0 commit comments