fixup! Reintroduce the old sanitizer testsuite from html5lib-tests

Author: gsnedders

html5lib/tests/sanitizer-testdata/tests1.dat

@@ -20,13 +20,13 @@
   {
     "name": "background_attribute",
     "input": "<div background=\"javascript:alert('XSS')\"></div>",
-    "output": "<div/>"
+    "output": "<div></div>"
   },
 
   {
     "name": "bgsound",
     "input": "<bgsound src=\"javascript:alert('XSS');\" />",
-    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"/&gt;"
+    "output": "&lt;bgsound src=\"javascript:alert('XSS');\"&gt;&lt;/bgsound&gt;"
   },
 
   {
@@ -44,13 +44,13 @@
   {
     "name": "double_open_angle_brackets",
     "input": "<img src=http://ha.ckers.org/scriptlet.html <",
-    "output": "<img src='http://ha.ckers.org/scriptlet.html'>"
+    "output": ""
   },
 
   {
     "name": "double_open_angle_brackets_2",
     "input": "<script src=http://ha.ckers.org/scriptlet.html <",
-    "output": "&lt;script src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;"
+    "output": ""
   },
 
   {
@@ -80,13 +80,13 @@
   {
     "name": "link_stylesheets",
     "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/&gt;"
+    "output": "&lt;link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"&gt;"
   },
 
   {
     "name": "link_stylesheets_2",
     "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />",
-    "output": "&lt;link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/&gt;"
+    "output": "&lt;link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"&gt;"
   },
 
   {
@@ -98,13 +98,13 @@
   {
     "name": "no_closing_script_tags",
     "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;"
+    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;"
   },
 
   {
     "name": "non_alpha_non_digit",
     "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\" xss=\"\"&gt;&lt;/script&gt;"
   },
 
   {
@@ -134,7 +134,7 @@
   {
     "name": "platypus",
     "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>",
-    "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>"
+    "output": "<a style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;' href='http://www.ragingplatypus.com/'>never trust your upstream platypus</a>"
   },
 
   {
@@ -290,13 +290,13 @@
   {
     "name": "should_sanitize_half_open_scripts",
     "input": "<img src=\"javascript:alert('XSS')\"",
-    "output": "<img/>"
+    "output": ""
   },
 
   {
     "name": "should_sanitize_invalid_script_tag",
     "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>",
-    "output": "&lt;script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"&gt;&lt;/script&gt;"
+    "output": "&lt;script src=\"http://ha.ckers.org/xss.js\" xss=\"\"&gt;&lt;/script&gt;"
   },
 
   {
@@ -308,7 +308,7 @@
   {
     "name": "should_sanitize_script_tag_with_multiple_open_brackets_2",
     "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<",
-    "output": "&lt;iframe src=\"http://ha.ckers.org/scriptlet.html\" &lt;=\"\"&gt;"
+    "output": ""
   },
 
   {
@@ -320,7 +320,7 @@
   {
     "name": "should_sanitize_unclosed_script",
     "input": "<script src=http://ha.ckers.org/xss.js?<b>",
-    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;"
+    "output": "&lt;script src=\"http://ha.ckers.org/xss.js?&amp;lt;b\"&gt;&lt;/script&gt;"
   },
 
   {
@@ -367,67 +367,67 @@
 
   {
     "name": "uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(#foo)' />",
-    "output": "<rect fill='url(#foo)'/>"
+    "input": "<svg><rect fill='url(#foo)' />",
+    "output": "<svg><rect fill='url(#foo)'></rect></svg>"
   },
 
   {
     "name": "absolute_uri_refs_in_svg_attributes",
-    "input": "<rect fill='url(http://bad.com/) #fff' />",
-    "output": "<rect fill='  #fff'/>"
+    "input": "<svg><rect fill='url(http://bad.com/) #fff' />",
+    "output": "<svg><rect fill='  #fff'></rect></svg>"
   },
 
   {
     "name": "uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill='url(\n#foo)' />",
-    "output": "<rect fill='url(\n#foo)'/>"
+    "input": "<svg><rect fill='url(\n#foo)' />",
+    "output": "<svg><rect fill='url(\n#foo)'></rect></svg>"
   },
 
   {
     "name": "absolute_uri_ref_with_space_in svg_attribute",
-    "input": "<rect fill=\"url(\nhttp://bad.com/)\" />",
-    "output": "<rect fill=' '/>"
+    "input": "<svg><rect fill=\"url(\nhttp://bad.com/)\" />",
+    "output": "<svg><rect fill=' '></rect></svg>"
   },
 
   {
     "name": "allow_html5_image_tag",
     "input": "<image src='foo' />",
-    "output": "&lt;image src=\"foo\"/&gt;"
+    "output": "<img src='foo'/>"
   },
 
   {
     "name": "style_attr_end_with_nothing",
     "input": "<div style=\"color: blue\" />",
-    "output": "<div style='color: blue;'/>"
+    "output": "<div style='color: blue;'></div>"
   },
 
   {
     "name": "style_attr_end_with_space",
     "input": "<div style=\"color: blue \" />",
-    "output": "<div style='color: blue ;'/>"
+    "output": "<div style='color: blue ;'></div>"
   },
 
   {
     "name": "style_attr_end_with_semicolon",
     "input": "<div style=\"color: blue;\" />",
-    "output": "<div style='color: blue;'/>"
+    "output": "<div style='color: blue;'></div>"
   },
 
   {
     "name": "style_attr_end_with_semicolon_space",
     "input": "<div style=\"color: blue; \" />",
-    "output": "<div style='color: blue;'/>"
+    "output": "<div style='color: blue;'></div>"
   },
 
   {
    "name": "attributes_with_embedded_quotes",
    "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />",
-   "output": "<img src='doesntexist.jpg&quot;&apos;onerror=&quot;alert(1)'/>"
+   "output": "<img src='doesntexist.jpg\"&#39;onerror=\"alert(1)'/>"
   },
 
   {
    "name": "attributes_with_embedded_quotes_II",
    "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />",
-   "output": "<img src='notthere.jpg&quot;&quot;onerror=&quot;alert(2)'/>"
+   "output": "<img src='notthere.jpg\"\"onerror=\"alert(2)'/>"
   }
 ]

html5lib/tests/sanitizer.py

@@ -33,7 +33,8 @@ def runtest(self):
                                use_trailing_solidus=True,
                                space_before_trailing_solidus=False,
                                quote_attr_values=True,
-                               quote_char="'")
+                               quote_char="'",
+                               alphabeticalize_attributes=True)
         errorMsg = "\n".join(["\n\nInput:", input,
                               "\nExpected:", expected,
                               "\nReceived:", serialized])