xss-sanitize 0.3.7 causes downstream tests to fail

yesodweb / haskell-xss-sanitize

prevent XSS attacks by sanitizing html (this is different then escaping!)

Other

20 stars 15 forks source link

xss-sanitize 0.3.7 causes downstream tests to fail #24

Open DanBurton opened 2 years ago

DanBurton commented 2 years ago

Here are snippets of what I observed on the stackage build server. I can try to provide better repro instructions upon request.

yesod-markdown-0.12.6.11

    Yesod.Markdown
      converts Markdown to sanitized HTML FAILED [1]
      converts Markdown to unsanitized HTML

    Failures:

      test/Spec.hs:33:9:
      1) Yesod.Markdown converts Markdown to sanitized HTML
           expected: "<h1 id=\"title\">Title</h1><ul><li>one</li><li>two</li><
li>three</li></ul>\n  alert('xxs');\n"
            but got: "<h1 id=\"title\">Title</h1><ul><li>one</li><li>two</li><
li>three</li></ul>"

markdown-0.1.17.4

      test/main.hs:230:26:
      1) html block xss
           expected: "alert(&quot;evil&quot;)"
            but got: ""

snoyberg commented 2 years ago

CC @pbrisbin. Apologies for the change here, see #22

pbrisbin commented 2 years ago

I'm happy to adjust this test to expect the tag and contents are stripped, which I think is what's needed, but I indeed can't repro:

Selected resolver: nightly-2021-09-18
yesod-markdown> test (suite: test)

Yesod.Markdown
  converts Markdown to sanitized HTML
  converts Markdown to unsanitized HTML

Finished in 0.0080 seconds
2 examples, 0 failures

yesod-markdown> Test suite test passed

2021-09-18 seems to be what I get with --resolver nightly; is this behavior in something even newer?

pbrisbin commented 2 years ago

I updated yesod-markdown-0.12.6.12 to assert in a less brittle way that should pass on either behavior.

andreasabel commented 2 years ago

Change title? There is no xss-sanitize-0.6.7, at least not on Hackage.