// // Blackfriday Markdown Processor // Available at http://github.com/russross/blackfriday // // Copyright © 2011 Russ Ross . // Distributed under the Simplified BSD License. // See README.md for details. // // // Unit tests for inline parsing // package blackfriday import ( "testing" ) func runMarkdownInline(input string, extensions, htmlFlags int) string { extensions |= EXTENSION_AUTOLINK extensions |= EXTENSION_STRIKETHROUGH htmlFlags |= HTML_USE_XHTML renderer := HtmlRenderer(htmlFlags, "", "") return string(Markdown([]byte(input), renderer, extensions)) } func doTestsInline(t *testing.T, tests []string) { doTestsInlineParam(t, tests, 0, 0) } func doSafeTestsInline(t *testing.T, tests []string) { doTestsInlineParam(t, tests, 0, HTML_SAFELINK) } func doTestsInlineParam(t *testing.T, tests []string, extensions, htmlFlags int) { // catch and report panics var candidate string /* defer func() { if err := recover(); err != nil { t.Errorf("\npanic while processing [%#v] (%v)\n", candidate, err) } }() */ for i := 0; i+1 < len(tests); i += 2 { input := tests[i] candidate = input expected := tests[i+1] actual := runMarkdownInline(candidate, extensions, htmlFlags) if actual != expected { t.Errorf("\nInput [%#v]\nExpected[%#v]\nActual [%#v]", candidate, expected, actual) } // now test every substring to stress test bounds checking if !testing.Short() { for start := 0; start < len(input); start++ { for end := start + 1; end <= len(input); end++ { candidate = input[start:end] _ = runMarkdownInline(candidate, extensions, htmlFlags) } } } } } func TestRawHtmlTag(t *testing.T) { tests := []string{ "zz \n", "

zz <style>p {}</style>

\n", "zz \n", "

zz <style>p {}</style>

\n", "\n", "

<script>alert()</script>

\n", "zz \n", "

zz <script>alert()</script>

\n", "zz \n", "

zz <script>alert()</script>

\n", " \n", "

<script>alert()</script>

\n", "\n", "<script>alert()</script>\n", "\n", "<script src='foo'></script>\n", "\n", "<script src='a>b'></script>\n", "zz \n", "

zz <script src='foo'></script>

\n", "zz \n", "

zz <script src=foo></script>

\n", ``, "<script><script src="http://example.com/exploit.js"></script></script>\n", `'';!--"=&{()}`, "

'';!--"<xss>=&{()}

\n", "", "

<script SRC=http://ha.ckers.org/xss.js></script>

\n", "", "

<script \nSRC=http://ha.ckers.org/xss.js></script>

\n", ``, "

\n", "", "

\n", "", "

\n", "", "

\n", `xss link`, "

xss link

\n", "xss link", "

xss link

\n", `">`, "

<script>alert(&quot;XSS&quot;)</script>">

\n", "", "

\n", ``, "

\n", ``, "

\n", ``, "

\n", "", "

\n", "", "

\n", "", "

\n", ``, "

\n", ``, "

\n", ``, "

\n", ``, "

\n", ``, "

\n", ``, "

<script/XSS SRC="http://ha.ckers.org/xss.js"></script>

\n", "", "

<body onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")>

\n", ``, "

<script/SRC="http://ha.ckers.org/xss.js"></script>

\n", // HTML5 interprets the `, "

<<script>alert(&quot;XSS&quot;);//&lt;</script>

\n", // HTML5 parses the

within an unclosed