From d3cbb3dab0605f3893a28a6ed71519d226a80dab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Passaro?= <sebastian.passaro@owasp.org>
Date: Mon, 1 Jan 2024 22:08:18 -0300
Subject: [PATCH] Add tests for updates on neko-htmlunit

New tests for "bang comments" and update a CDATA parsing test to adapt to new parsing behavior.
---
 pom.xml                                       |  2 +-
 .../validator/html/test/AntiSamyTest.java     | 33 +++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index c5392a9..767c236 100644
--- a/pom.xml
+++ b/pom.xml
@@ -94,7 +94,7 @@
         <dependency>
             <groupId>org.htmlunit</groupId>
             <artifactId>neko-htmlunit</artifactId>
-            <version>3.9.0</version>
+            <version>3.10.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
diff --git a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
index f73e1cc..21aa664 100644
--- a/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
+++ b/src/test/java/org/owasp/validator/html/test/AntiSamyTest.java
@@ -1307,8 +1307,8 @@ public void CDATAByPass() throws ScanException, PolicyException {
     assertTrue(crd.getErrorMessages().size() > 0);
     assertTrue(crs.getErrorMessages().size() > 0);
 
-    assertTrue(crSax.contains("&lt;script") && !crDom.contains("<script"));
-    assertTrue(crDom.contains("&lt;script") && !crDom.contains("<script"));
+    assertThat(crDom, both(not(containsString("script"))).and(not(containsString("alert"))));
+    assertThat(crSax, both(not(containsString("script"))).and(not(containsString("alert"))));
   }
 
   @Test
@@ -2637,4 +2637,33 @@ public void testRegexStackOverflow() throws ScanException, PolicyException {
       fail("Parser should not throw a stack overflow error");
     }
   }
+
+  @Test
+  public void testBangCommentsWhenPreservingComments() throws ScanException, PolicyException {
+    // Concern is that when preserving comments, certain endings of comments would be
+    // misinterpreted.
+    TestPolicy revised = policy.cloneWithDirective(Policy.PRESERVE_COMMENTS, "true");
+    assertThat(
+        as.scan("<!--<div/>--!><img src=x onerror=mxss(1)> <li>--></p>", revised, AntiSamy.DOM)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan("<!--<div/>--!><img src=x onerror=mxss(1)> <li>--></p>", revised, AntiSamy.SAX)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan(
+                "<!--<div/>--><img src=x onerror=mxss(1)> <li>--></p><input/>",
+                revised,
+                AntiSamy.DOM)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+    assertThat(
+        as.scan(
+                "<!--<div/>--><img src=x onerror=mxss(1)> <li>--></p><input/>",
+                revised,
+                AntiSamy.SAX)
+            .getCleanHTML(),
+        not(containsString("mxss")));
+  }
 }