Add tests for updates on neko-htmlunit

New tests for "bang comments" and update a CDATA parsing test to adapt to new parsing behavior.
nahsra · Jan 2, 2024 · d3cbb3d · d3cbb3d
1 parent 3f585bc
commit d3cbb3d
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 3 deletions.
diff --git a/pom.xml b/pom.xml
@@ -94,7 +94,7 @@
         <dependency>
             <groupId>org.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <version>3.9.0</version>
+            <version>3.10.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>

diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -1307,8 +1307,8 @@ public void CDATAByPass() throws ScanException, PolicyException {
     assertTrue(crd.getErrorMessages().size() > 0);
     assertTrue(crs.getErrorMessages().size() > 0);
 
-    assertTrue(crSax.contains("&lt;script") && !crDom.contains("<script"));
-    assertTrue(crDom.contains("&lt;script") && !crDom.contains("<script"));
+    assertThat(crDom, both(not(containsString("script"))).and(not(containsString("alert"))));
+    assertThat(crSax, both(not(containsString("script"))).and(not(containsString("alert"))));
   }
 
   @Test
@@ -2637,4 +2637,33 @@ public void testRegexStackOverflow() throws ScanException, PolicyException {
       fail("Parser should not throw a stack overflow error");
     }
   }
+
+  @Test
+  public void testBangCommentsWhenPreservingComments() throws ScanException, PolicyException {
+    // Concern is that when preserving comments, certain endings of comments would be
+    // misinterpreted.
+    TestPolicy revised = policy.cloneWithDirective(Policy.PRESERVE_COMMENTS, "true");
+    assertThat(
+        as.scan("<!--<div/>--!><img src=x onerror=mxss(1)> <li>--></p>", revised, AntiSamy.DOM)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan("<!--<div/>--!><img src=x onerror=mxss(1)> <li>--></p>", revised, AntiSamy.SAX)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan(
+                "<!--<div/>--><img src=x onerror=mxss(1)> <li>--></p><input/>",
+                revised,
+                AntiSamy.DOM)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan(
+                "<!--<div/>--><img src=x onerror=mxss(1)> <li>--></p><input/>",
+                revised,
+                AntiSamy.SAX)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+  }
 }