You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

521 lines
17 KiB

  1. require 'rails_helper'
  2. RSpec.describe Formatter do
  3. let(:local_account) { Fabricate(:account, domain: nil, username: 'alice') }
  4. let(:remote_account) { Fabricate(:account, domain: 'remote.test', username: 'bob', url: 'https://remote.test/') }
  5. shared_examples 'encode and link URLs' do
  6. context 'given a stand-alone medium URL' do
  7. let(:text) { 'https://hackernoon.com/the-power-to-build-communities-a-response-to-mark-zuckerberg-3f2cac9148a4' }
  8. it 'matches the full URL' do
  9. is_expected.to include 'href="https://hackernoon.com/the-power-to-build-communities-a-response-to-mark-zuckerberg-3f2cac9148a4"'
  10. end
  11. end
  12. context 'given a stand-alone google URL' do
  13. let(:text) { 'http://google.com' }
  14. it 'matches the full URL' do
  15. is_expected.to include 'href="http://google.com"'
  16. end
  17. end
  18. context 'given a stand-alone IDN URL' do
  19. let(:text) { 'https://nic.みんな/' }
  20. it 'matches the full URL' do
  21. is_expected.to include 'href="https://nic.みんな/"'
  22. end
  23. it 'has display URL' do
  24. is_expected.to include '<span class="">nic.みんな/</span>'
  25. end
  26. end
  27. context 'given a URL with a trailing period' do
  28. let(:text) { 'http://www.mcmansionhell.com/post/156408871451/50-states-of-mcmansion-hell-scottsdale-arizona. ' }
  29. it 'matches the full URL but not the period' do
  30. is_expected.to include 'href="http://www.mcmansionhell.com/post/156408871451/50-states-of-mcmansion-hell-scottsdale-arizona"'
  31. end
  32. end
  33. context 'given a URL enclosed with parentheses' do
  34. let(:text) { '(http://google.com/)' }
  35. it 'matches the full URL but not the parentheses' do
  36. is_expected.to include 'href="http://google.com/"'
  37. end
  38. end
  39. context 'given a URL with a trailing exclamation point' do
  40. let(:text) { 'http://www.google.com!' }
  41. it 'matches the full URL but not the exclamation point' do
  42. is_expected.to include 'href="http://www.google.com"'
  43. end
  44. end
  45. context 'given a URL with a trailing single quote' do
  46. let(:text) { "http://www.google.com'" }
  47. it 'matches the full URL but not the single quote' do
  48. is_expected.to include 'href="http://www.google.com"'
  49. end
  50. end
  51. context 'given a URL with a trailing angle bracket' do
  52. let(:text) { 'http://www.google.com>' }
  53. it 'matches the full URL but not the angle bracket' do
  54. is_expected.to include 'href="http://www.google.com"'
  55. end
  56. end
  57. context 'given a URL with a query string' do
  58. let(:text) { 'https://www.ruby-toolbox.com/search?utf8=%E2%9C%93&q=autolink' }
  59. it 'matches the full URL' do
  60. is_expected.to include 'href="https://www.ruby-toolbox.com/search?utf8=%E2%9C%93&amp;q=autolink"'
  61. end
  62. end
  63. context 'given a URL with parentheses in it' do
  64. let(:text) { 'https://en.wikipedia.org/wiki/Diaspora_(software)' }
  65. it 'matches the full URL' do
  66. is_expected.to include 'href="https://en.wikipedia.org/wiki/Diaspora_(software)"'
  67. end
  68. end
  69. context 'given a URL with Japanese path string' do
  70. let(:text) { 'https://ja.wikipedia.org/wiki/日本' }
  71. it 'matches the full URL' do
  72. is_expected.to include 'href="https://ja.wikipedia.org/wiki/日本"'
  73. end
  74. end
  75. context 'given a URL with Korean path string' do
  76. let(:text) { 'https://ko.wikipedia.org/wiki/대한민국' }
  77. it 'matches the full URL' do
  78. is_expected.to include 'href="https://ko.wikipedia.org/wiki/대한민국"'
  79. end
  80. end
  81. context 'given a URL with Simplified Chinese path string' do
  82. let(:text) { 'https://baike.baidu.com/item/中华人民共和国' }
  83. it 'matches the full URL' do
  84. is_expected.to include 'href="https://baike.baidu.com/item/中华人民共和国"'
  85. end
  86. end
  87. context 'given a URL with Traditional Chinese path string' do
  88. let(:text) { 'https://zh.wikipedia.org/wiki/臺灣' }
  89. it 'matches the full URL' do
  90. is_expected.to include 'href="https://zh.wikipedia.org/wiki/臺灣"'
  91. end
  92. end
  93. context 'given a URL containing unsafe code (XSS attack, visible part)' do
  94. let(:text) { %q{http://example.com/b<del>b</del>} }
  95. it 'escapes the HTML in the URL' do
  96. is_expected.to include '&lt;del&gt;b&lt;/del&gt;'
  97. end
  98. end
  99. context 'given a URL containing unsafe code (XSS attack, invisible part)' do
  100. let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} }
  101. it 'escapes the HTML in the URL' do
  102. is_expected.to include '&lt;script&gt;alert(&quot;Hello&quot;)&lt;/script&gt;'
  103. end
  104. end
  105. context 'given text containing HTML code (script tag)' do
  106. let(:text) { '<script>alert("Hello")</script>' }
  107. it 'escapes the HTML' do
  108. is_expected.to include '<p>&lt;script&gt;alert(&quot;Hello&quot;)&lt;/script&gt;</p>'
  109. end
  110. end
  111. context 'given text containing HTML (XSS attack)' do
  112. let(:text) { %q{<img src="javascript:alert('XSS');">} }
  113. it 'escapes the HTML' do
  114. is_expected.to include '<p>&lt;img src=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;</p>'
  115. end
  116. end
  117. context 'given an invalid URL' do
  118. let(:text) { 'http://www\.google\.com' }
  119. it 'outputs the raw URL' do
  120. is_expected.to eq '<p>http://www\.google\.com</p>'
  121. end
  122. end
  123. context 'given text containing a hashtag' do
  124. let(:text) { '#hashtag' }
  125. it 'creates a hashtag link' do
  126. is_expected.to include '/tags/hashtag" class="mention hashtag" rel="tag">#<span>hashtag</span></a>'
  127. end
  128. end
  129. end
  130. describe '#format_spoiler' do
  131. subject { Formatter.instance.format_spoiler(status) }
  132. context 'given a post containing plain text' do
  133. let(:status) { Fabricate(:status, text: 'text', spoiler_text: 'Secret!', uri: nil) }
  134. it 'Returns the spoiler text' do
  135. is_expected.to eq 'Secret!'
  136. end
  137. end
  138. context 'given a post with an emoji shortcode at the start' do
  139. let!(:emoji) { Fabricate(:custom_emoji) }
  140. let(:status) { Fabricate(:status, text: 'text', spoiler_text: ':coolcat: Secret!', uri: nil) }
  141. let(:text) { ':coolcat: Beep boop' }
  142. it 'converts the shortcode to an image tag' do
  143. is_expected.to match(/<img draggable="false" class="emojione" alt=":coolcat:"/)
  144. end
  145. end
  146. end
  147. describe '#format' do
  148. subject { Formatter.instance.format(status) }
  149. context 'given a post with local status' do
  150. context 'given a reblogged post' do
  151. let(:reblog) { Fabricate(:status, account: local_account, text: 'Hello world', uri: nil) }
  152. let(:status) { Fabricate(:status, reblog: reblog) }
  153. it 'returns original status with credit to its author' do
  154. is_expected.to include 'RT <span class="h-card"><a href="https://cb6e6126.ngrok.io/@alice" class="u-url mention">@<span>alice</span></a></span> Hello world'
  155. end
  156. end
  157. context 'given a post containing plain text' do
  158. let(:status) { Fabricate(:status, text: 'text', uri: nil) }
  159. it 'paragraphizes the text' do
  160. is_expected.to eq '<p>text</p>'
  161. end
  162. end
  163. context 'given a post containing line feeds' do
  164. let(:status) { Fabricate(:status, text: "line\nfeed", uri: nil) }
  165. it 'removes line feeds' do
  166. is_expected.not_to include "\n"
  167. end
  168. end
  169. context 'given a post containing linkable mentions' do
  170. let(:status) { Fabricate(:status, mentions: [ Fabricate(:mention, account: local_account) ], text: '@alice') }
  171. it 'creates a mention link' do
  172. is_expected.to include '<a href="https://cb6e6126.ngrok.io/@alice" class="u-url mention">@<span>alice</span></a></span>'
  173. end
  174. end
  175. context 'given a post containing unlinkable mentions' do
  176. let(:status) { Fabricate(:status, text: '@alice', uri: nil) }
  177. it 'does not create a mention link' do
  178. is_expected.to include '@alice'
  179. end
  180. end
  181. context do
  182. subject do
  183. status = Fabricate(:status, text: text, uri: nil)
  184. Formatter.instance.format(status)
  185. end
  186. include_examples 'encode and link URLs'
  187. end
  188. context 'given a post with custom_emojify option' do
  189. let!(:emoji) { Fabricate(:custom_emoji) }
  190. let(:status) { Fabricate(:status, account: local_account, text: text) }
  191. subject { Formatter.instance.format(status, custom_emojify: true) }
  192. context 'given a post with an emoji shortcode at the start' do
  193. let(:text) { ':coolcat: Beep boop' }
  194. it 'converts the shortcode to an image tag' do
  195. is_expected.to match(/<p><img draggable="false" class="emojione" alt=":coolcat:"/)
  196. end
  197. end
  198. context 'given a post with an emoji shortcode in the middle' do
  199. let(:text) { 'Beep :coolcat: boop' }
  200. it 'converts the shortcode to an image tag' do
  201. is_expected.to match(/Beep <img draggable="false" class="emojione" alt=":coolcat:"/)
  202. end
  203. end
  204. context 'given a post with concatenated emoji shortcodes' do
  205. let(:text) { ':coolcat::coolcat:' }
  206. it 'does not touch the shortcodes' do
  207. is_expected.to match(/:coolcat::coolcat:/)
  208. end
  209. end
  210. context 'given a post with an emoji shortcode at the end' do
  211. let(:text) { 'Beep boop :coolcat:' }
  212. it 'converts the shortcode to an image tag' do
  213. is_expected.to match(/boop <img draggable="false" class="emojione" alt=":coolcat:"/)
  214. end
  215. end
  216. end
  217. end
  218. context 'given a post with remote status' do
  219. let(:status) { Fabricate(:status, account: remote_account, text: 'Beep boop') }
  220. it 'reformats the post' do
  221. is_expected.to eq 'Beep boop'
  222. end
  223. context 'given a post with custom_emojify option' do
  224. let!(:emoji) { Fabricate(:custom_emoji, domain: remote_account.domain) }
  225. let(:status) { Fabricate(:status, account: remote_account, text: text) }
  226. subject { Formatter.instance.format(status, custom_emojify: true) }
  227. context 'given a post with an emoji shortcode at the start' do
  228. let(:text) { '<p>:coolcat: Beep boop<br />' }
  229. it 'converts the shortcode to an image tag' do
  230. is_expected.to match(/<p><img draggable="false" class="emojione" alt=":coolcat:"/)
  231. end
  232. end
  233. context 'given a post with an emoji shortcode in the middle' do
  234. let(:text) { '<p>Beep :coolcat: boop</p>' }
  235. it 'converts the shortcode to an image tag' do
  236. is_expected.to match(/Beep <img draggable="false" class="emojione" alt=":coolcat:"/)
  237. end
  238. end
  239. context 'given a post with concatenated emoji' do
  240. let(:text) { '<p>:coolcat::coolcat:</p>' }
  241. it 'does not touch the shortcodes' do
  242. is_expected.to match(/<p>:coolcat::coolcat:<\/p>/)
  243. end
  244. end
  245. context 'given a post with an emoji shortcode at the end' do
  246. let(:text) { '<p>Beep boop<br />:coolcat:</p>' }
  247. it 'converts the shortcode to an image tag' do
  248. is_expected.to match(/<br><img draggable="false" class="emojione" alt=":coolcat:"/)
  249. end
  250. end
  251. end
  252. end
  253. end
  254. describe '#reformat' do
  255. subject { Formatter.instance.reformat(text) }
  256. context 'given a post containing plain text' do
  257. let(:text) { 'Beep boop' }
  258. it 'keeps the plain text' do
  259. is_expected.to include 'Beep boop'
  260. end
  261. end
  262. context 'given a post containing script tags' do
  263. let(:text) { '<script>alert("Hello")</script>' }
  264. it 'strips the scripts' do
  265. is_expected.to_not include '<script>alert("Hello")</script>'
  266. end
  267. end
  268. context 'given a post containing malicious classes' do
  269. let(:text) { '<span class="mention status__content__spoiler-link">Show more</span>' }
  270. it 'strips the malicious classes' do
  271. is_expected.to_not include 'status__content__spoiler-link'
  272. end
  273. end
  274. end
  275. describe '#plaintext' do
  276. subject { Formatter.instance.plaintext(status) }
  277. context 'given a post with local status' do
  278. let(:status) { Fabricate(:status, text: '<p>a text by a nerd who uses an HTML tag in text</p>', uri: nil) }
  279. it 'returns the raw text' do
  280. is_expected.to eq '<p>a text by a nerd who uses an HTML tag in text</p>'
  281. end
  282. end
  283. context 'given a post with remote status' do
  284. let(:status) { Fabricate(:status, account: remote_account, text: '<script>alert("Hello")</script>') }
  285. it 'returns tag-stripped text' do
  286. is_expected.to eq ''
  287. end
  288. end
  289. end
  290. describe '#simplified_format' do
  291. subject { Formatter.instance.simplified_format(account) }
  292. context 'given a post with local status' do
  293. let(:account) { Fabricate(:account, domain: nil, note: text) }
  294. context 'given a post containing linkable mentions for local accounts' do
  295. let(:text) { '@alice' }
  296. before { local_account }
  297. it 'creates a mention link' do
  298. is_expected.to eq '<p><span class="h-card"><a href="https://cb6e6126.ngrok.io/@alice" class="u-url mention">@<span>alice</span></a></span></p>'
  299. end
  300. end
  301. context 'given a post containing linkable mentions for remote accounts' do
  302. let(:text) { '@bob@remote.test' }
  303. before { remote_account }
  304. it 'creates a mention link' do
  305. is_expected.to eq '<p><span class="h-card"><a href="https://remote.test/" class="u-url mention">@<span>bob</span></a></span></p>'
  306. end
  307. end
  308. context 'given a post containing unlinkable mentions' do
  309. let(:text) { '@alice' }
  310. it 'does not create a mention link' do
  311. is_expected.to eq '<p>@alice</p>'
  312. end
  313. end
  314. context 'given a post with custom_emojify option' do
  315. let!(:emoji) { Fabricate(:custom_emoji) }
  316. before { account.note = text }
  317. subject { Formatter.instance.simplified_format(account, custom_emojify: true) }
  318. context 'given a post with an emoji shortcode at the start' do
  319. let(:text) { ':coolcat: Beep boop' }
  320. it 'converts the shortcode to an image tag' do
  321. is_expected.to match(/<p><img draggable="false" class="emojione" alt=":coolcat:"/)
  322. end
  323. end
  324. context 'given a post with an emoji shortcode in the middle' do
  325. let(:text) { 'Beep :coolcat: boop' }
  326. it 'converts the shortcode to an image tag' do
  327. is_expected.to match(/Beep <img draggable="false" class="emojione" alt=":coolcat:"/)
  328. end
  329. end
  330. context 'given a post with concatenated emoji shortcodes' do
  331. let(:text) { ':coolcat::coolcat:' }
  332. it 'does not touch the shortcodes' do
  333. is_expected.to match(/:coolcat::coolcat:/)
  334. end
  335. end
  336. context 'given a post with an emoji shortcode at the end' do
  337. let(:text) { 'Beep boop :coolcat:' }
  338. it 'converts the shortcode to an image tag' do
  339. is_expected.to match(/boop <img draggable="false" class="emojione" alt=":coolcat:"/)
  340. end
  341. end
  342. end
  343. include_examples 'encode and link URLs'
  344. end
  345. context 'given a post with remote status' do
  346. let(:text) { '<script>alert("Hello")</script>' }
  347. let(:account) { Fabricate(:account, domain: 'remote', note: text) }
  348. it 'reformats' do
  349. is_expected.to_not include '<script>alert("Hello")</script>'
  350. end
  351. context 'with custom_emojify option' do
  352. let!(:emoji) { Fabricate(:custom_emoji, domain: remote_account.domain) }
  353. before { remote_account.note = text }
  354. subject { Formatter.instance.simplified_format(remote_account, custom_emojify: true) }
  355. context 'given a post with an emoji shortcode at the start' do
  356. let(:text) { '<p>:coolcat: Beep boop<br />' }
  357. it 'converts shortcode to image tag' do
  358. is_expected.to match(/<p><img draggable="false" class="emojione" alt=":coolcat:"/)
  359. end
  360. end
  361. context 'given a post with an emoji shortcode in the middle' do
  362. let(:text) { '<p>Beep :coolcat: boop</p>' }
  363. it 'converts shortcode to image tag' do
  364. is_expected.to match(/Beep <img draggable="false" class="emojione" alt=":coolcat:"/)
  365. end
  366. end
  367. context 'given a post with concatenated emoji shortcodes' do
  368. let(:text) { '<p>:coolcat::coolcat:</p>' }
  369. it 'does not touch the shortcodes' do
  370. is_expected.to match(/<p>:coolcat::coolcat:<\/p>/)
  371. end
  372. end
  373. context 'given a post with an emoji shortcode at the end' do
  374. let(:text) { '<p>Beep boop<br />:coolcat:</p>' }
  375. it 'converts shortcode to image tag' do
  376. is_expected.to match(/<br><img draggable="false" class="emojione" alt=":coolcat:"/)
  377. end
  378. end
  379. end
  380. end
  381. end
  382. describe '#sanitize' do
  383. let(:html) { '<script>alert("Hello")</script>' }
  384. subject { Formatter.instance.sanitize(html, Sanitize::Config::MASTODON_STRICT) }
  385. it 'sanitizes' do
  386. is_expected.to eq 'alert("Hello")'
  387. end
  388. end
  389. end