Sanitizer: Sort the result of the get() method.

Differential Revision: https://phabricator.services.mozilla.com/D267211

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1989215
gecko-commit: 5f23528ad0d4305996911dc302d3a957e8cb5f8e
gecko-reviewers: smaug

Author: evilpie

sanitizer-api/sanitizer-get.tentative.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/util.js"></script>
+</head>
+<body>
+<script>
+
+const TEST_CASES = [
+  [
+    ["b", "a"],
+    ["a", "b"]
+  ],
+  [
+    ["c", "b", "a"],
+    ["a", "b", "c"]
+  ],
+  [
+    [{name: "b", namespace: null}, {name: "a", namespace: null}],
+    [{name: "a", namespace: null}, {name: "b", namespace: null}]
+  ],
+  [
+    [{name: "_", namespace: "a"}, {name: "_", namespace: null}],
+    [{name: "_", namespace: null}, {name: "_", namespace: "a"}]
+  ],
+  [
+    [{name: "_", namespace: "b"}, {name: "_", namespace: "a"}],
+    [{name: "_", namespace: "a"}, {name: "_", namespace: "b"}]
+  ],
+  [
+    [{name: "a", namespace: "b"}, {name: "z", namespace: "a"}, {name: "b", namespace: "b"}],
+    [{name: "z", namespace: "a"}, {name: "a", namespace: "b"}, {name: "b", namespace: "b"}],
+  ]
+];
+
+for (const key of ["attributes", "removeAttributes", "elements", "removeElements", "replaceWithChildrenElements"]) {
+  test(() => {
+    for (const [input, expected] of TEST_CASES) {
+      let s = new Sanitizer({
+        [key]: input
+      });
+      assert_config(s.get(), {
+        [key]: expected
+      });
+    }
+  }, `Sorting of ${key}`);
+}
+
+for (const key of ["attributes", "removeAttributes"]) {
+  test(() => {
+      for (const [input, expected] of TEST_CASES) {
+        let s = new Sanitizer({
+          elements: [{name: "_", [key]: input}]
+        });
+        assert_config(s.get(), {
+          elements: [{name: "_", [key]: expected}]
+        });
+      }
+  }, `Sorting of element's ${key}`);
+}
+
+</script>
+</body>
+</html>

sanitizer-api/sanitizer-modifiers.tentative.html

@@ -3,172 +3,10 @@
 <head>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
+  <script src="./support/util.js"></script>
 </head>
 <body>
 <script>
-function is_same_sanitizer_name(a, b) {
-  return a.name === b.name && a.namespace === b.namespace;
-}
-
-// https://pr-preview.s3.amazonaws.com/otherdaniel/purification/pull/296.html#sanitizerconfig-valid
-function assert_config_is_valid(config) {
-  // The config has either an elements or a removeElements key, but not both.
-  assert_false(
-    "elements" in config && "removeElements" in config,
-    "Either elements or a removeElements, but not both",
-  );
-  assert_true(
-    "elements" in config || "removeElements" in config,
-    "Either elements or a removeElements",
-  );
-
-  // The config has either an attributes or a removeAttributes key, but not both.
-  assert_false(
-    "attributes" in config && "removeAttributes" in config,
-    "Either attributes or a removeAttributes, but not both",
-  );
-  assert_true(
-    "attributes" in config || "removeAttributes" in config,
-    "Either attributes or removeAttributes",
-  );
-
-  // If both config[elements] and config[replaceWithChildrenElements] exist, then the difference of config[elements] and config[replaceWithChildrenElements] is empty.
-  if (config.elements && config.replaceWithChildrenElements) {
-    for (let element of config.elements) {
-      assert_false(
-        config.replaceWithChildrenElements.some((replaceElement) =>
-          is_same_sanitizer_name(element, replaceElement),
-        ),
-        `replaceWithChildrenElements should not contain ${element.name}`,
-      );
-    }
-  }
-
-  // If both config[removeElements] and config[replaceWithChildrenElements] exist, then the difference of config[removeElements] and config[replaceWithChildrenElements] is empty.
-  if (config.removeElements && config.replaceWithChildrenElements) {
-    for (let removeElement of config.removeElements) {
-      assert_false(
-        config.replaceWithChildrenElements.some((replaceElement) =>
-          is_same_sanitizer_name(removeElement, replaceElement),
-        ),
-        `replaceWithChildrenElements should not contain ${removeElement.name}`,
-      );
-    }
-  }
-
-  // If config[attributes] exists:
-  if (config.attributes) {
-  } else {
-    // config[dataAttributes] does not exist.
-    assert_false("dataAttributes" in config, "dataAttributes does not exist");
-  }
-}
-
-function assert_config(config, expected) {
-  const PROPERTIES = [
-    "attributes",
-    "removeAttributes",
-    "elements",
-    "removeElements",
-    "replaceWithChildrenElements",
-    "comments",
-    "dataAttributes",
-  ];
-
-  // Prevent some typos in the expected config.
-  for (let key of Object.keys(expected)) {
-    assert_in_array(key, PROPERTIES, "expected");
-  }
-  for (let key of Object.keys(config)) {
-    assert_in_array(key, PROPERTIES, "config");
-  }
-
-  assert_config_is_valid(config);
-
-  // XXX dataAttributes
-  // XXX comments
-  // XXX duplications
-  // XXX other consistency checks
-
-  function assert_attrs(key, config, expected, prefix = "config") {
-    // XXX we allow specifying only a subset for expected.
-    if (!(key in expected)) {
-      return;
-    }
-
-    if (expected[key] === undefined) {
-      assert_false(key in config, `Unexpected '${key}' in ${prefix}`);
-      return;
-    }
-
-    assert_true(key in config, `Missing '${key}' from ${prefix}`);
-    assert_equals(config[key]?.length, expected[key].length, `${prefix}.${key}.length`);
-    for (let i = 0; i < expected[key].length; i++) {
-      let attribute = expected[key][i];
-      if (typeof attribute === "string") {
-        assert_object_equals(
-          config[key][i],
-          { name: attribute, namespace: null },
-          `${prefix}.${key}[${i}] should match`,
-        );
-      } else {
-        assert_object_equals(
-          config[key][i],
-          attribute,
-          `${prefix}.${key}[${i}] should match`,
-        );
-      }
-    }
-  }
-
-  assert_attrs("attributes", config, expected);
-  assert_attrs("removeAttributes", config, expected);
-
-  function assert_elems(key) {
-    if (!(key in expected)) {
-      return;
-    }
-
-    if (expected[key] === undefined) {
-      assert_false(key in config, `Unexpected '${key}' in config`);
-      return;
-    }
-
-    assert_true(key in config, `Missing '${key}' from config`);
-    assert_equals(config[key]?.length, expected[key].length, `${key}.length`);
-
-    const XHTML_NS = "http://www.w3.org/1999/xhtml";
-
-    for (let i = 0; i < expected[key].length; i++) {
-      let element = expected[key][i];
-      // To make writing tests a bit easier we also support the shorthand string syntax.
-      if (typeof element === "string") {
-        let extra = key === "elements" ? { removeAttributes: [] } : { };
-        assert_object_equals(
-          config[key][i],
-          { name: element, namespace: XHTML_NS, ...extra },
-          `${key}[${i}] should match`,
-        );
-      } else {
-        if (key === "elements") {
-          assert_equals(config[key][i].name, element.name, `${key}[${i}].name should match`);
-          let ns = "namespace" in element ? element.namespace : XHTML_NS;
-          assert_equals(config[key][i].namespace, ns, `${key}[${i}].namespace should match`);
-
-          assert_attrs("attributes", config[key][i], element, `config.elements[${i}]`);
-          assert_attrs("removeAttributes", config[key][i], element, `config.elements[${i}]`);
-        } else {
-          assert_object_equals(config[key][i], element, `${key}[${i}] should match`);
-        }
-      }
-    }
-  }
-
-  assert_elems("elements");
-  assert_elems("removeElements");
-  assert_elems("replaceWithChildrenElements");
-}
-
 const NS = "http://example.org/";
 
 test(() => {
@@ -339,19 +177,19 @@
 
   assert_true(s.removeAttribute("dir"));
   assert_config(s.get(), {
-    removeAttributes: ["title", "dir"],
+    removeAttributes: ["dir", "title"],
     elements: [{ name: "div", attributes: ["class"], removeAttributes: ["id"] }],
   });
 
   assert_true(s.removeAttribute("id"));
   assert_config(s.get(), {
-    removeAttributes: ["title", "dir", "id"],
+    removeAttributes: ["dir", "id", "title"],
     elements: [{ name: "div", attributes: ["class"], removeAttributes: [] }],
   });
 
   assert_true(s.removeAttribute("class"));
   assert_config(s.get(), {
-    removeAttributes: ["title", "dir", "id", "class"],
+    removeAttributes: ["class", "dir", "id", "title"],
     elements: [{ name: "div", attributes: [], removeAttributes: [] }],
   });
 }, "sanitizer.removeAttribute() with global removeAttributes and elements");
@@ -364,13 +202,13 @@
 
   assert_false(s.removeElement("span"));
   assert_config(s.get(), {
-    elements: ["p", { name: "p", namespace: NS }],
+    elements: [{ name: "p", namespace: NS }, "p"],
     replaceWithChildrenElements: ["b"],
   });
 
   assert_true(s.removeElement("b"));
   assert_config(s.get(), {
-    elements: ["p", { name: "p", namespace: NS }],
+    elements: [{ name: "p", namespace: NS }, "p"],
     replaceWithChildrenElements: [],
   });
 
@@ -395,25 +233,25 @@
 
   assert_false(s.removeElement("p"));
   assert_config(s.get(), {
-    removeElements: ["p", { name: "p", namespace: NS }],
+    removeElements: [{ name: "p", namespace: NS }, "p"],
     replaceWithChildrenElements: ["b"],
   });
 
   assert_false(s.removeElement({ name: "p", namespace: NS }));
   assert_config(s.get(), {
-    removeElements: ["p", { name: "p", namespace: NS }],
+    removeElements: [{ name: "p", namespace: NS }, "p"],
     replaceWithChildrenElements: ["b"],
   });
 
   assert_true(s.removeElement("span"));
   assert_config(s.get(), {
-    removeElements: ["p", { name: "p", namespace: NS }, "span"],
+    removeElements: [{ name: "p", namespace: NS }, "p", "span"],
     replaceWithChildrenElements: ["b"],
   });
 
   assert_true(s.removeElement("b"));
   assert_config(s.get(), {
-    removeElements: ["p", { name: "p", namespace: NS }, "span", "b"],
+    removeElements: [{ name: "p", namespace: NS },  "b",  "p", "span"],
     replaceWithChildrenElements: [],
   });
 }, "sanitizer.removeElement() with global removeElements");
@@ -438,7 +276,7 @@
 
   assert_true(s.replaceElementWithChildren("b"));
   assert_config(s.get(), {
-    replaceWithChildrenElements: ["a", "span", "b"],
+    replaceWithChildrenElements: ["a", "b", "span"],
     elements: [],
   });
 }, "sanitizer.replaceElementWithChildren() with global elements");
@@ -463,7 +301,7 @@
 
   assert_true(s.replaceElementWithChildren("b"));
   assert_config(s.get(), {
-    replaceWithChildrenElements: ["a", "span", "b"],
+    replaceWithChildrenElements: ["a", "b", "span"],
     removeElements: [],
   });
 }, "sanitizer.replaceElementWithChildren() with global removeElements");
@@ -482,13 +320,13 @@
 
   assert_true(s.allowElement({name: "a", namespace: NS}));
   assert_config(s.get(), {
-    elements: ["a", {name: "a", namespace: NS}],
+    elements: [{name: "a", namespace: NS}, "a"],
     replaceWithChildrenElements: ["b"]
   });
 
   assert_true(s.allowElement("b"));
   assert_config(s.get(), {
-    elements: ["a", {name: "a", namespace: NS}, "b"],
+    elements: [{name: "a", namespace: NS}, "a", "b"],
     replaceWithChildrenElements: []
   });
 }, "sanitizer.allowElement() with global elements");

sanitizer-api/sanitizer-removeUnsafe.tentative.html

@@ -22,7 +22,7 @@
     "removeElements": [
       {
         "namespace": "http://www.w3.org/1999/xhtml",
-        "name": "script"
+        "name": "embed"
       },
       {
         "namespace": "http://www.w3.org/1999/xhtml",
@@ -38,7 +38,7 @@
       },
       {
         "namespace": "http://www.w3.org/1999/xhtml",
-        "name": "embed"
+        "name": "script"
       },
       {
         "namespace": "http://www.w3.org/2000/svg",