test: ensure tests pass when nokogiri uses system libxml2

flavorjones · flavorjones · commit 9778c471211a · 2022-06-09T18:02:33.000-04:00
Specifically the patch that affects this behavior is nokogiri/patches/libxml2/0002-Update-entities-to-remove-handling-of-ssi.patch which was introduced to avoid server-side-include vulnerabilities, see sparklemotion/nokogiri@4852e43
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -505,7 +505,13 @@ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a href="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/ system libxml2
+      %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
@@ -515,7 +521,13 @@ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a src="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
@@ -525,7 +537,13 @@ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a name="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
@@ -535,7 +553,13 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
 
     text = safe_list_sanitize(html, attributes: ['action'])
 
-    assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a action="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_exclude_node_type_processing_instructions
