microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
https://github.com/microcosm-cc/bluemonday
BSD 3-Clause "New" or "Revised" License
3.2k stars 175 forks source link

`make test` fails on master #42

Closed gerad closed 7 years ago

gerad commented 7 years ago

I just checked out master and ran make test and it fails.

$ make test
...
=== RUN   TestXSS
--- FAIL: TestXSS (0.00s)
    sanitize_test.go:1138: test 74 failed;
        input   : <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
        output  : 
        expected: <img src="%60javascript:alert%28%22RSnake">
    sanitize_test.go:1138: test 61 failed;
        input   : <IMG SRC="jav&#x0D;ascript:alert('XSS');">
        output  : 
        expected: <img src="jav%0Dascript:alert%28%27XSS%27%29;">
...

make lint also fails:

$ make lint
example_test.go is in package bluemonday_test, not bluemonday

I'm running go1.8.3.

$ go version
go version go1.8.3 darwin/amd64
grafana-dee commented 7 years ago

Nice catch.

Willl investigate, probably the result of a difference in a later version of Go and will move to build flags to control which tests are valid on which version of Go.

dmitshur commented 7 years ago

This can be seen in CI as well:

https://travis-ci.org/microcosm-cc/bluemonday/builds/260671646

May (or may not) be related to this change in Go 1.9:

https://tip.golang.org/doc/go1.9#html/template

grafana-dee commented 7 years ago

Extremely likely to be related, and have been considering looping back and moving tests to be conditional on Go versions because of this. So will look into it later today (I'm in SF time, busy interviewing people this morning).

grafana-dee commented 7 years ago

Resolved by https://github.com/microcosm-cc/bluemonday/pull/45