[Sanitizer API] Update default handling for comments and data-*.

This tracks development of the spec: WICG/sanitizer-api#254 The PR makes the default for "comments:" and "dataAttributes:" keys in the configuration depend on whether this is for safe or unsafe use. That requires a bit of plumbing, since now the logic to interpret a config depends on a new flag. Also adds test cases. Bug: 356601280 Change-Id: I076c5418006b0dc35babbffd7d991e04c0f1d522 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6189121 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Cr-Commit-Position: refs/heads/main@{#1415510}
web-platform-tests · Feb 4, 2025 · 0792096 · 0792096
1 parent 4d536dc
commit 0792096
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 8 deletions.
diff --git a/sanitizer-api/sanitizer-basic-filtering.tentative.html b/sanitizer-api/sanitizer-basic-filtering.tentative.html
@@ -138,14 +138,6 @@
 
 </script>
 <script id="dataAttributes" type="html5lib-testcases">
-#data
-<p data-x="1" data-y="2" data-z="3">
-#document
-| <p>
-|   data-x="1"
-|   data-y="2"
-|   data-z="3"
-
 #data
 <p data-x="1" data-y="2" data-z="3">
 #config

diff --git a/sanitizer-api/sanitizer-boolean-defaults.tentative.html b/sanitizer-api/sanitizer-boolean-defaults.tentative.html
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Test boolean defaults in config per PR #254</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+// Test cases extracted from : https://github.com/WICG/sanitizer-api/pull/254
+//
+// These are somewhat redundant with tests in sanitizer-config.tentative.html,
+// so maybe we can long-term merge them together.
+
+// Comments.
+test(t => {
+  function try_unsafe(config) {
+    const div = document.createElement("div");
+    div.setHTMLUnsafe("<!--bla-->", config)
+    return div.innerHTML.includes("<!--");
+  }
+  function try_safe(config) {
+    const div = document.createElement("div");
+    div.setHTML("<!--bla-->", config)
+    return div.innerHTML.includes("<!--");
+  }
+
+  assert_true(new Sanitizer().get().comments, "1");
+  assert_true(new Sanitizer({}).get().comments, "2");
+  assert_true(new Sanitizer({comments: true}).get().comments, "3");
+  assert_false(new Sanitizer({comments: false}).get().comments, "4");
+
+  assert_true(try_unsafe(), "5");
+  assert_true(try_unsafe({sanitizer:{}}), "6");
+  assert_true(try_unsafe({sanitizer:{comments:true}}), "7");
+  assert_false(try_unsafe({sanitizer:{comments:false}}), "8");
+
+  assert_false(try_safe(), "9");
+  assert_false(try_safe({sanitizer:{}}), "10");
+  assert_true(try_safe({sanitizer:{comments:true}}), "11");
+  assert_false(try_safe({sanitizer:{comments:false}}), "12");
+}, "comments");
+
+// Data Attributes:
+test(t => {
+  function try_unsafe(config) {
+    const div = document.createElement("div");
+    div.setHTMLUnsafe("<div data-foo='bar'>", config)
+    return div.innerHTML.includes("data-foo");
+  }
+  function try_safe(config) {
+    const div = document.createElement("div");
+    div.setHTML("<div data-foo='bar'>", config)
+    return div.innerHTML.includes("data-foo");
+  }
+
+  assert_true(new Sanitizer().get().dataAttributes, "1");
+  assert_true(new Sanitizer({}).get().dataAttributes, "2");
+  assert_true(new Sanitizer({dataAttributes: true}).get().dataAttributes, "3");
+  assert_false(new Sanitizer({dataAttributes: false}).get().dataAttributes, "4");
+
+  assert_true(try_unsafe(), "5");
+  assert_true(try_unsafe({sanitizer:{}}), "6");
+  assert_true(try_unsafe({sanitizer:{dataAttributes:true}}), "7");
+  assert_false(try_unsafe({sanitizer:{dataAttributes:false}}), "8");
+
+  assert_false(try_safe(), "9");
+  assert_false(try_safe({sanitizer:{}}), "10");
+  assert_true(try_safe({sanitizer:{dataAttributes:true}}), "11");
+  assert_false(try_safe({sanitizer:{dataAttributes:false}}), "12");
+}, "data attributes");
+
+</script>
+</body>
+</html>
diff --git a/sanitizer-api/sanitizer-config.tentative.html b/sanitizer-api/sanitizer-config.tentative.html
@@ -32,6 +32,8 @@
 }, "Sanitizer constructor with config ignore unknown values.");
 
 test(t => {
+  assert_true(new Sanitizer().get().comments);
+  assert_true(new Sanitizer({}).get().comments);
   assert_true(new Sanitizer({comments: true}).get().comments);
   assert_false(new Sanitizer({comments: false}).get().comments);
 
@@ -45,6 +47,8 @@
 }, "SanitizerConfig comments field.");
 
 test(t => {
+  assert_true(new Sanitizer().get().dataAttributes);
+  assert_true(new Sanitizer({}).get().dataAttributes);
   assert_true(new Sanitizer({dataAttributes: true}).get().dataAttributes);
   assert_false(new Sanitizer({dataAttributes: false}).get().dataAttributes);
 

diff --git a/sanitizer-api/sethtml-safety.sub.dat b/sanitizer-api/sethtml-safety.sub.dat
@@ -47,3 +47,9 @@ script
 | <img>
 |   one="two"
 |   src="https://{{host}}/test-image"
+
+#data
+<p data-x="1" data-y="2" data-z="3">
+#document
+| <p>
+
diff --git a/sanitizer-api/sethtml-unsafety.sub.dat b/sanitizer-api/sethtml-unsafety.sub.dat
@@ -58,3 +58,12 @@ script
 |   onclick="2+2"
 |   one="two"
 |   src="https://{{host}}/test-image"
+
+#data
+<p data-x="1" data-y="2" data-z="3">
+#document
+| <p>
+|   data-x="1"
+|   data-y="2"
+|   data-z="3"
+