aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/safe_mode/unsafe_urls.html24
-rw-r--r--tests/safe_mode/unsafe_urls.txt27
2 files changed, 51 insertions, 0 deletions
diff --git a/tests/safe_mode/unsafe_urls.html b/tests/safe_mode/unsafe_urls.html
new file mode 100644
index 0000000..8eda30d
--- /dev/null
+++ b/tests/safe_mode/unsafe_urls.html
@@ -0,0 +1,24 @@
+<p>These links should be unsafe and not allowed in safe_mode
+</p>
+<p><a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+ <a href="">link</a>
+</p>
+<p><img src="" alt="img"/><a href="">ref</a>
+ <img src="" alt="imgref"/>
+</p>
+<p>These should work regardless:
+</p>
+<p><a href="relative/url.html">relative</a>
+ <a href="mailto:foo@bar.com">email</a>
+ <a href="news:some.news.group.com">news scheme</a>
+ <a href="http://example.com">http link</a>
+</p> \ No newline at end of file
diff --git a/tests/safe_mode/unsafe_urls.txt b/tests/safe_mode/unsafe_urls.txt
new file mode 100644
index 0000000..7bfd81d
--- /dev/null
+++ b/tests/safe_mode/unsafe_urls.txt
@@ -0,0 +1,27 @@
+These links should be unsafe and not allowed in safe_mode
+
+[link](javascript:alert%28'Hello%20world!'%29)
+[link](vbscript:msgbox%28%22Hello%20world!%22%29)
+[link](livescript:alert%28'Hello%20world!'%29)
+[link](mocha:[code])
+[link](jAvAsCrIpT:alert%28'Hello%20world!'%29)
+[link](ja&#32;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja&#00032;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja&#x00020;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja%09&#x20;%0Avas&#32;cr&#x0a;ipt:alert%28'Hello%20world!'%29)
+[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29)
+[link](live%20script:alert%28'Hello%20world!'%29)
+
+![img](javascript:alert%29'XSS'%29)
+[ref][]
+![imgref][]
+
+[ref]: javascript:alert%29'XSS'%29
+[imgref]: javascript:alert%29'XSS'%29
+
+These should work regardless:
+
+[relative](relative/url.html)
+[email](mailto:foo@bar.com)
+[news scheme](news:some.news.group.com)
+[http link](http://example.com)