def exec_main_proc(self):
article_content_edit_table = self.dynamodb.Table(
os.environ['ARTICLE_CONTENT_EDIT_TABLE_NAME'])
expression_attribute_values = {
':user_id':
self.event['requestContext']['authorizer']['claims']
['cognito:username'],
':title':
TextSanitizer.sanitize_text(self.params.get('title')),
':body':
TextSanitizer.sanitize_article_body(self.params.get('body')),
':overview':
TextSanitizer.sanitize_text(self.params.get('overview')),
':eye_catch_url':
self.params.get('eye_catch_url')
}
DBUtil.items_values_empty_to_none(expression_attribute_values)
article_content_edit_table.update_item(
Key={
'article_id': self.params['article_id'],
},
UpdateExpression=
"set user_id = :user_id, title = :title, body=:body, "
"overview=:overview, eye_catch_url=:eye_catch_url",
ExpressionAttributeValues=expression_attribute_values)
return {'statusCode': 200}
def test_sanitize_article_body_with_evil_img_tag(self):
target_html = '''
<h2>sample h2</h2>
<img src="http://{domain}/hoge.png" onerror='document.alert('evil')'>
'''.format(domain=os.environ['DOMAIN'])
expected_html = '''
<h2>sample h2</h2>
<img src="http://{domain}/hoge.png">
'''.format(domain=os.environ['DOMAIN'])
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_evil_a_tag(self):
target_html = '''
<h2>sample h2</h2>
<a href="http://example.com" onclick="document.alert("evil")">link</a>
'''
expected_html = '''
<h2>sample h2</h2>
<a href="http://example.com">link</a>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_div(self):
target_html = '''
<h2>sample h2</h2>
<script>document.alert('evil')</script>
'''
expected_html = '''
<h2>sample h2</h2>
<script>document.alert('evil')</script>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_div_unauthorized_class(self):
target_html = '''
<h2>sample h2</h2>
<div class='hoge piyo' data='aaa'></div>
'''
expected_html = '''
<h2>sample h2</h2>
<div></div>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_evil_other_site_url(self):
target_html = '''
<h2>sample h2</h2>
<img src="http://hoge.com/hoge.png">
'''
expected_html = '''
<h2>sample h2</h2>
<img>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_figcaption_unauthorized_attribute(self):
target_html = '''
<h2>sample h2</h2>
<figcaption contenteditable='false' class='hoge' data='aaa'></figcaption>
'''
expected_html = '''
<h2>sample h2</h2>
<figcaption></figcaption>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def test_sanitize_article_body_with_figure_unauthorized_contenteditable(self):
target_html = '''
<h2>sample h2</h2>
<figure contenteditable='true' data='aaa'></figure>
'''
expected_html = '''
<h2>sample h2</h2>
<figure></figure>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def __create_article_content(self, params, article_id):
article_content_table = self.dynamodb.Table(
os.environ['ARTICLE_CONTENT_TABLE_NAME'])
article_content = {
'article_id': article_id,
'body': TextSanitizer.sanitize_article_body(params.get('body')),
'title': TextSanitizer.sanitize_text(params.get('title')),
'created_at': int(time.time())
}
DBUtil.items_values_empty_to_none(article_content)
article_content_table.put_item(
Item=article_content,
ConditionExpression='attribute_not_exists(article_id)')
def test_sanitize_article_body_with_div_unauthorized_url(self):
target_html = '''
<h2>sample h2</h2>
<div class='hoge piyo' data='aaa' contenteditable='true'></div>
<div data-alis-iframely-url="https://example.com/hoge?<script>piyo</script>">hoge</div>
'''
expected_html = '''
<h2>sample h2</h2>
<div></div>
<div>hoge</div>
'''
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, expected_html)
def __update_article_content(self):
article_content_table = self.dynamodb.Table(os.environ['ARTICLE_CONTENT_TABLE_NAME'])
expression_attribute_values = {
':title': TextSanitizer.sanitize_text(self.params.get('title')),
':body': TextSanitizer.sanitize_article_body(self.params.get('body'))
}
DBUtil.items_values_empty_to_none(expression_attribute_values)
article_content_table.update_item(
Key={
'article_id': self.params['article_id'],
},
UpdateExpression="set title = :title, body=:body",
ExpressionAttributeValues=expression_attribute_values
)
def test_sanitize_article_body(self):
target_html = '''
<h2>sample h2</h2>
<h3>sample h3</h3>
<i>icon</i><p>sentence</p><u>under bar</u>
<b>bold</b><br><blockquote>blockquote</blockquote>
<div class="medium-insert-images">
<figure contenteditable="false">
<img src="http://{domain}/hoge">
<figcaption class="" contenteditable="true">aaaaaa</figcaption>
</figure>
</div>
<div class="medium-insert-images medium-insert-images-left" contenteditable="false">
<figure contenteditable="false">
<img src="http://{domain}/hoge">
<figcaption class="" contenteditable="true"></figcaption>
</figure>
</div>
<div class="medium-insert-images medium-insert-images-right" contenteditable="false">
<figure contenteditable="false">
<img src="http://{domain}/hoge">
<figcaption contenteditable="true">aaaaaa</figcaption>
</figure>
</div>
<div class="medium-insert-images medium-insert-images-grid">
<figure contenteditable="false">
<img src="http://{domain}/hoge">
<figcaption class="">aaaaaa</figcaption>
</figure>
</div>
<div class="medium-insert-images medium-insert-images-wide">
<figure contenteditable="false">
<img src="http://{domain}/hoge">
</figure>
</div>
<a href="http://example.com">link</a>
<div data-alis-iframely-url="https://twitter.com/hoge">hoge</div>
<div data-alis-iframely-url="https://example.com/hoge?x=1">hoge</div>
<div data-alis-iframely-url="http://example.com/hoge?x=1%3Cdiv%3Ehoge%3C%2Fdiv%3E">hoge</div>
'''.format(domain=os.environ['DOMAIN'])
result = TextSanitizer.sanitize_article_body(target_html)
self.assertEqual(result, target_html)