def test_markdown_xss_inline_html():
xss_md = '\n'.join([
'> <a name="n"', '> href="javascript:alert(\'XSS: pwned!\')">link</a>'
])
rendered_html = MarkupRenderer.markdown(xss_md)
assert 'href="javascript:alert(\'XSS: pwned!\')">' not in rendered_html
def test_markdown_inline_html():
xss_md = '\n'.join(
['> <a name="n"', '> href="https://rhodecode.com">link</a>'])
rendered_html = MarkupRenderer.markdown(xss_md)
assert '[HTML_REMOVED]link[HTML_REMOVED]' in rendered_html
def test_markdown_xss_link():
xss_md = "[link](javascript:alert('XSS: pwned!'))"
rendered_html = MarkupRenderer.markdown(xss_md)
assert 'href="javascript:alert(\'XSS: pwned!\')"' not in rendered_html
