refactor(editor): adjust xss test && clean up

Author: mydearxym

lib/helper/converter/editor_to_html/index.ex

@@ -131,9 +131,5 @@ defmodule Helper.Converter.EditorToHTML do
     "<div class=\"#{@clazz.unknow_block}\">[unknow block]</div>"
   end
 
-  defp invalid_hint(part, message) do
-    "<div class=\"#{@clazz.invalid_block}\">[invalid-block] #{part}:#{message}</div>"
-  end
-
   def string_to_json(string), do: Jason.decode(string)
 end

lib/helper/converter/editor_to_html/validator/index.ex

@@ -64,18 +64,6 @@ defmodule Helper.Converter.EditorToHTML.Validator do
     validate_with(type, parent_schema, item_schema, data)
   end
 
-  defp validate_block(%{"type" => "code"}) do
-    # schema = %{text: [:string]}
-    # case Schema.cast(schema, data) do
-    #   {:error, errors} ->
-    #     format_parse_error("paragraph", errors)
-
-    #   _ ->
-    #     {:ok, :pass}
-    # end
-    {:ok, :pass}
-  end
-
   defp validate_block(%{"type" => type}), do: raise("undown #{type} block")
 
   defp validate_block(e), do: raise("undown block: #{e}")

test/helper/converter/editor_to_html_test/index_test.exs

@@ -2,19 +2,25 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML do
   @moduledoc false
 
   use GroupherServerWeb.ConnCase, async: true
+
+  alias Helper.Metric
   alias Helper.Converter.EditorToHTML, as: Parser
 
   # alias Helper.Metric
   # @clazz Metric.Article.class_names(:html)
 
+  #   "<addr class="cdx-lock">hello</addr> Editor.js <mark class="cdx-marker">workspace</mark>. is an element &lt;script&gt;alert("hello")&lt;/script&gt;"
+
+  #   "text" : "<script>evil scripts</script>"
+  @clazz Metric.Article.class_names(:html)
+
   @real_editor_data ~S({
     "time" : 1567250876713,
     "blocks" : [
         {
-            "type" : "code",
+            "type" : "paragraph",
             "data" : {
-                "lang" : "js",
-                "text" : "<script>evil scripts</script>"
+                "text": "content"
             }
         }
     ],
@@ -113,12 +119,43 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML do
   describe "[secure issues]" do
     @tag :wip
     test "code block should avoid potential xss script attack" do
-      {:ok, converted} = Parser.to_html(@real_editor_data)
+      editor_json = %{
+        "time" => 1_567_250_876_713,
+        "blocks" => [
+          %{
+            "type" => "paragraph",
+            "data" => %{
+              "text" => "<script>evel script</script>"
+            }
+          }
+        ],
+        "version" => "2.15.0"
+      }
+
+      {:ok, editor_string} = Jason.encode(editor_json)
+      {:ok, converted} = Parser.to_html(editor_string)
+
+      assert converted ==
+               "<div class=\"#{@clazz.viewer}\"><p>evel script</p><div>"
 
-      safe_script =
-        "<pre><code class=\"lang-js\">&lt;script&gt;evil scripts&lt;/script&gt;</code></pre>"
+      editor_json = %{
+        "time" => 1_567_250_876_713,
+        "blocks" => [
+          %{
+            "type" => "paragraph",
+            "data" => %{
+              "text" => "Editor.js is an element &lt;script&gt;evel script&lt;/script&gt;"
+            }
+          }
+        ],
+        "version" => "2.15.0"
+      }
+
+      {:ok, editor_string} = Jason.encode(editor_json)
+      {:ok, converted} = Parser.to_html(editor_string)
 
-      assert converted |> String.contains?(safe_script)
+      assert converted ==
+               "<div class=\"#{@clazz.viewer}\"><p>Editor.js is an element &lt;script&gt;evel script&lt;/script&gt;</p><div>"
     end
   end
 end

test/helper/converter/editor_to_html_test/list_test.exs

@@ -6,7 +6,7 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML.List do
   alias Helper.Metric
   alias Helper.Converter.EditorToHTML, as: Parser
 
-  @clazz Metric.Article.class_names(:html)
+  # @clazz Metric.Article.class_names(:html)
 
   describe "[list block unit]" do
     @editor_json %{
@@ -31,7 +31,7 @@ defmodule GroupherServer.Test.Helper.Converter.EditorToHTML.List do
       ],
       "version" => "2.15.0"
     }
-    @tag :wip2
+    @tag :wip
     test "valid list parse should work" do
       {:ok, editor_string} = Jason.encode(@editor_json)
       # assert {:ok, converted} = Parser.to_html(editor_string)