|
| 1 | +var d3 = require('d3'); |
| 2 | + |
| 3 | +var util = require('@src/lib/svg_text_utils'); |
| 4 | + |
| 5 | + |
| 6 | +describe('svg+text utils', function() { |
| 7 | + 'use strict'; |
| 8 | + |
| 9 | + describe('convertToTspans', function() { |
| 10 | + |
| 11 | + function mockTextSVGElement(txt) { |
| 12 | + return d3.select('body') |
| 13 | + .append('svg') |
| 14 | + .attr('id', 'text') |
| 15 | + .append('text') |
| 16 | + .text(txt) |
| 17 | + .call(util.convertToTspans); |
| 18 | + } |
| 19 | + |
| 20 | + afterEach(function() { |
| 21 | + d3.select('#text').remove(); |
| 22 | + }); |
| 23 | + |
| 24 | + it('checks for XSS attack in href', function() { |
| 25 | + var node = mockTextSVGElement( |
| 26 | + '<a href="javascript:alert(\'attack\')">XSS</a>' |
| 27 | + ) |
| 28 | + |
| 29 | + expect(node.text()).toEqual('XSS'); |
| 30 | + expect(node.select('a').attr('xlink:href')).toBe(null); |
| 31 | + }); |
| 32 | + |
| 33 | + it('checks for XSS attack in href (with plenty of white spaces)', function() { |
| 34 | + var node = mockTextSVGElement( |
| 35 | + '<a href = " javascript:alert(\'attack\')">XSS</a>' |
| 36 | + ) |
| 37 | + |
| 38 | + expect(node.text()).toEqual('XSS'); |
| 39 | + expect(node.select('a').attr('xlink:href')).toBe(null); |
| 40 | + }); |
| 41 | + |
| 42 | + it('whitelists http hrefs', function() { |
| 43 | + var node = mockTextSVGElement( |
| 44 | + '<a href="http://bl.ocks.org/">bl.ocks.org</a>' |
| 45 | + ) |
| 46 | + |
| 47 | + expect(node.text()).toEqual('bl.ocks.org'); |
| 48 | + expect(node.select('a').attr('xlink:href')).toEqual('http://bl.ocks.org/'); |
| 49 | + }); |
| 50 | + |
| 51 | + it('whitelists https hrefs', function() { |
| 52 | + var node = mockTextSVGElement( |
| 53 | + '<a href="https://plot.ly">plot.ly</a>' |
| 54 | + ) |
| 55 | + |
| 56 | + expect(node.text()).toEqual('plot.ly'); |
| 57 | + expect(node.select('a').attr('xlink:href')).toEqual('https://plot.ly'); |
| 58 | + }); |
| 59 | + |
| 60 | + it('whitelists mailto hrefs', function() { |
| 61 | + var node = mockTextSVGElement( |
| 62 | + '<a href="mailto:[email protected]">support</a>' |
| 63 | + ) |
| 64 | + |
| 65 | + expect(node.text()).toEqual('support'); |
| 66 | + expect(node.select('a').attr('xlink:href')).toEqual('mailto:[email protected]'); |
| 67 | + }); |
| 68 | + }); |
| 69 | +}); |
0 commit comments