java-html-sanitizer/owasp-java-html-sanitizer/src/test/java/org/owasp/html/OptgroupBugTest.java at fa38a991d3b4e6c33fb65e2b74d868197b745144 · Shangeeth29/java-html-sanitizer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package org.owasp.html;

import org.junit.Test;
import static org.junit.Assert.assertEquals;

public class OptgroupBugTest {

    /**
     * Test that optgroup elements inside select are not corrupted with extra select tags.
     *
     * Before fix: <select><optgroup><select><option></option></select></optgroup></select>
     * After fix:  <select><optgroup><option></option></optgroup></select>
     */
    @Test
    public void testOptgroupInsideSelectDoesNotAddExtraSelectTags() {
        PolicyFactory factory = new HtmlPolicyBuilder()
            .allowElements("select", "optgroup", "option")
            .allowAttributes("label").globally()
            .toFactory();

        String input = "<select><optgroup label=\"mygroup\"><option>My option</option></optgroup></select>";
        String result = factory.sanitize(input);

        // The key assertion: no extra select tags should be inserted
        assertEquals(input, result);
    }
}