From 18f2f2c17e86d149bbf0f6d0aa5000fcbf1e9105 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Fri, 29 Oct 2021 00:38:54 -0400
Subject: [PATCH] test: finally use the CSS hex encoding originally intended

This was mis-fixed in c190b32 which encoded the Ruby strings as
unicode to fix the previous bad encoding which dated back to the
original Instiki that should have single-quoted the CSS unicode
strings.
---
 test/sanitizer_test.rb | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 7938433..241564c 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -414,8 +414,25 @@ def test_should_sanitize_img_dynsrc_lowsrc
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
-    assert_equal '', sanitize_css(raw)
+    [
+      convert_to_css_hex("url(javascript:alert(1))", false),
+      convert_to_css_hex("url(javascript:alert(1))", true),
+      convert_to_css_hex("url(https://example.com)", false),
+      convert_to_css_hex("url(https://example.com)", true),
+    ].each do |propval|
+      raw = "background-image:" + propval
+      assert_empty(sanitize_css(raw))
+    end
+  end
+
+  def test_should_allow_div_background_image_unicode_encoded_safe_functions
+    [
+      convert_to_css_hex("rgb(255,0,0)", false),
+      convert_to_css_hex("rgb(255,0,0)", true),
+    ].each do |propval|
+      raw = "background-image:" + propval
+      assert_includes(sanitize_css(raw), "background-image")
+    end
   end
 
   def test_should_sanitize_div_style_expression
@@ -574,4 +591,15 @@ def scope_allowed_attributes(attributes)
   ensure
     Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
   end
+
+  # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
+  def convert_to_css_hex(string, escape_parens=false)
+    string.chars.map do |c|
+      if !escape_parens && (c == "(" || c == ")")
+        c
+      else
+        format('\00%02X', c.ord)
+      end
+    end.join
+  end
 end