Test sanitization

lib/galaxy/selenium/has_driver.py

@@ -116,6 +116,9 @@ def assert_absent(self, selector_template: Target) -> None:
     def element_absent(self, selector_template: Target) -> bool:
         return len(self.find_elements(selector_template)) == 0
 
+    def switch_to_frame(self, name: str = "frame"):
+        return self._wait_on(ec.frame_to_be_available_and_switch_to_it((By.NAME, name)))
+
     def wait_for_xpath(self, xpath: str, **kwds) -> WebElement:
         element = self._wait_on(
             ec.presence_of_element_located((By.XPATH, xpath)), f"XPATH selector [{xpath}] to become present", **kwds

test/functional/tools/html_output.xml

@@ -0,0 +1,25 @@
+<tool id="html_output" name="html_output" version="1.0.0">
+    <command><![CDATA[
+cp '$html_file' '$output'
+    ]]></command>
+    <configfiles>
+        <configfile name="html_file"><![CDATA[
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title data-description="hello-world">Hello World</title>
+</head>
+<body>
+    <main>
+       <h1>Hello, World!</h1>
+    </main>
+</body>
+</html>
+        ]]></configfile>
+    </configfiles>
+    <outputs>
+        <data name="output" format="html" />
+    </outputs>
+</tool>

test/functional/tools/sample_tool_conf.xml

@@ -243,6 +243,7 @@
 
   <tool file="multiple_versions_changes_v01.xml" />
   <tool file="multiple_versions_changes_v02.xml" />
+  <tool file="html_output.xml" />
 
   <tool file="interactivetool_simple.xml" />
   <tool file="interactivetool_two_entry_points.xml" />

test/integration_selenium/test_allowlist_sanitization.py

@@ -0,0 +1,54 @@
+import os
+from .framework import (
+    selenium_test,
+    SeleniumIntegrationTestCase,
+)
+
+
+class TestAllowListSanitization(SeleniumIntegrationTestCase):
+    run_as_admin = True
+    axe_skip = True  # skip testing iframe contents
+
+    @classmethod
+    def handle_galaxy_config_kwds(cls, config):
+        super().handle_galaxy_config_kwds(config)
+        config["sanitize_all_html"] = True
+        config["sanitize_allowlist_file"] = os.path.join(cls.temp_config_dir("isolated"), "allowlist.txt")
+
+    def run_html_output(self):
+        history_id = self.dataset_populator.new_history()
+        run_response = self.dataset_populator.run_tool("html_output", {}, history_id=history_id)
+        hda_id = run_response["outputs"][0]["id"]
+        self.dataset_populator.wait_for_dataset(history_id, dataset_id=hda_id)
+        return hda_id
+
+    @selenium_test
+    def test_html_output_sanitized(self):
+        self.login()
+        hda_id = self.run_html_output()
+        self.get(f"datasets/{hda_id}/preview")
+        self.wait_for_selector_visible("[data-description='sanitization warning']")
+        self.assert_selector_absent("[data-description='allowlist link']")
+        self.screenshot("sanitization warning")
+        assert self.switch_to_frame()
+        self.assert_selector_absent("[data-description='hello-world']")
+
+    @selenium_test
+    def test_html_output_sanitized_admin(self):
+        self.admin_login()
+        hda_id = self.run_html_output()
+        self.get(f"datasets/{hda_id}/preview")
+        self.wait_for_selector_visible("[data-description='sanitization warning']")
+        self.wait_for_selector_visible("[data-description='allowlist link']")
+        self.screenshot("sanitization warning admin")
+        try:
+            self._put(
+                "/api/sanitize_allow?tool_id=html_output", data={"params": {"tool_id": "html_output"}}, admin=True
+            ).raise_for_status()
+            self.driver.refresh()
+            self.assert_selector_absent("[data-description='sanitization warning']")
+            self.assert_selector_absent("[data-description='allowlist link']")
+            assert self.switch_to_frame()
+            self.wait_for_selector("[data-description='hello-world']")
+        finally:
+            self._delete("/api/sanitize_allow?tool_id=html_output", admin=True)