No public description

PiperOrigin-RevId: 707444715

Author: neuracr

VERSION

@@ -0,0 +1 @@
+1.0.0

fixup.sh

@@ -1,13 +1,17 @@
 #!/bin/bash
 # Adds package.json files to cjs/mjs subtrees
 
-echo '{
-    "type": "commonjs"
-}' > dist/cjs/package.json
+VERSION=$(cat VERSION)
 
-echo '{
-    "type": "module"
-}' > dist/mjs/package.json
+echo "{
+    \"type\": \"commonjs\",
+    \"version\": \"${VERSION}\"
+}" > dist/cjs/package.json
+
+echo "{
+    \"type\": \"module\",
+    \"version\": \"${VERSION}\"
+}" > dist/mjs/package.json
 
 rm -rf dist/mjs/test
 mv dist/mjs/src/* dist/mjs

integration_tests/basic_import/package.json

@@ -29,8 +29,5 @@
     "karma-typescript": "^5.2.0",
     "typescript": "^4.1.2",
     "karma-typescript-es6-transform": "*"
-  },
-  "dependencies": {
-    "safevalues": "^0.3.1"
   }
 }

integration_tests/jest/package.json

@@ -27,7 +27,6 @@
     "@types/jest": "^27.0.0",
     "babel-jest": "^27.0.6",
     "jest": "^27.0.0",
-    "safevalues": "^0.3.1",
     "ts-jest": "^27.0.0",
     "typescript": "^3.9.10"
   }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "safevalues",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0",
   "description": "Safe builders for Trusted Types values",
   "repository": "https://github.com/google/safevalues",
   "author": "ISE Web Hardening Team",

test/builders/html_sanitizer/html_sanitizer_test.ts

@@ -5,7 +5,6 @@
  */
 
 import {secretToken} from '../../../src/internals/secrets';
-import {HTML_TEST_VECTORS} from '../../testing/testvectors/html_test_vectors';
 
 import {
   CssSanitizationFn,
@@ -51,16 +50,46 @@ function sanitizeAssertUnchanged(table: SanitizerTable, html: string): string {
     .toString();
 }
 
-describe('HtmlSanitizer', () => {
-  describe('using test vectors', () => {
-    for (const v of HTML_TEST_VECTORS) {
-      it(`passes testVector[${v.name}]`, () => {
-        const sanitized = sanitizeHtml(v.input).toString();
-        expect(v.acceptable).toContain(sanitized);
-      });
-    }
-  });
+describe('sanitizeHtml', () => {
+  interface TestCase {
+    html: string;
+    expected: string;
+  }
+  const testCases: TestCase[] = [
+    {
+      html: '<a href="javascript:evil()"></a>',
+      expected: '<a href="about:invalid#zClosurez"></a>',
+    },
+    {
+      html: 'ab<script>alert(1)</script>cd',
+      expected: 'abcd',
+    },
+    {
+      html: 'ab<style>*{}</style>cd',
+      expected: 'abcd',
+    },
+    {
+      html: '<iframe src="javascript:evil()"></iframe>',
+      expected: '',
+    },
+    {
+      html: '<img src=1 onerror=alert(1)>',
+      expected: '<img src="1" />',
+    },
+    {
+      html: '<select><style></select><script>alert(1)</script>',
+      expected: '<select></select>',
+    },
+  ];
+  for (const testCase of testCases) {
+    it(`sanitizes ${JSON.stringify(testCase.html)} correctly`, () => {
+      const sanitized = sanitizeHtml(testCase.html).toString();
+      expect(sanitized).toEqual(testCase.expected);
+    });
+  }
+});
 
+describe('HtmlSanitizer', () => {
   it('drops unknown elements', () => {
     const emptyTable = new SanitizerTable(
       new Set(),