chore: fixes test cases and adds few new tests

wikimedia · Jul 5, 2024 · 592c7e3 · 592c7e3
1 parent 956f275
commit 592c7e3
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/openedx/core/djangolib/tests/test_markup.py b/openedx/core/djangolib/tests/test_markup.py
@@ -11,7 +11,7 @@
 from django.utils.translation import ngettext
 from mako.template import Template
 
-from openedx.core.djangolib.markup import HTML, Text, strip_all_tags_but_br
+from openedx.core.djangolib.markup import HTML, HTMLCleaner, Text, strip_all_tags_but_br
 
 
 @ddt.ddt
@@ -157,3 +157,50 @@ def test_clean_dengers_html_filter(self):
         assert not html_soup.find('form')
         assert not html_soup.find('blink')
         assert not html_soup.find('object')
+
+
+class TestHTMLCleaner(unittest.TestCase):
+    """
+    Tests that Url links are being cleaned properly and no useful link is removed.
+    """
+
+    def setUp(self):
+        self.cleaner = HTMLCleaner(style=True, inline_style=False, safe_attrs_only=False)
+
+    def test_valid_urls(self):
+        https_url = "https://example.com"
+        http_url = "http://example.com/path/to/page"
+        ftp_url = "ftp://ftp.example.com/resource"
+        file_url = "file://localhost/path/to/file"
+
+        cleaned_url = self.cleaner._remove_javascript_link(https_url)
+        self.assertEqual(cleaned_url, https_url)
+
+        cleaned_url = self.cleaner._remove_javascript_link(http_url)
+        self.assertEqual(cleaned_url, http_url)
+
+        cleaned_url = self.cleaner._remove_javascript_link(ftp_url)
+        self.assertEqual(cleaned_url, ftp_url)
+
+        cleaned_url = self.cleaner._remove_javascript_link(file_url)
+        self.assertEqual(cleaned_url, file_url)
+
+    def test_javascript_link(self):
+        cleaned_url = self.cleaner._remove_javascript_link("javascript:alert('Hello')")
+        self.assertIsNone(cleaned_url)
+
+    def test_mixed_case_scheme(self):
+        """
+        Javascript can be executed this way so this code should be removed.
+        """
+        url = "javascript:alert('hello') https://example.com"
+        cleaned_url = self.cleaner._remove_javascript_link(url)
+        self.assertIsNone(cleaned_url)
+
+    def test_sub_scheme_match(self):
+        """
+        Javascript cannot be executed this way so these urls are safe.
+        """
+        url = "https://example.com/data:something"
+        cleaned_url = self.cleaner._remove_javascript_link(url)
+        self.assertEqual(cleaned_url, url)
diff --git a/openedx/features/wikimedia_features/messenger/apps.py b/openedx/features/wikimedia_features/messenger/apps.py
@@ -20,7 +20,6 @@ class MessengerConfig(AppConfig):
         PluginSettings.CONFIG: {
             ProjectType.LMS: {
                 SettingsType.COMMON: {PluginSettings.RELATIVE_PATH: 'settings.common'},
-                SettingsType.TEST: {PluginSettings.RELATIVE_PATH: 'settings.test'},
             }
         }
     }