I'm not sure if it's my fault:
public void testImagesParam() throws RendererException, IOException
{
final String l_strUnsafeHTML;
l_strUnsafeHTML = "xss<a href=\"
http://www.google.de\" style=\"color:red;\" onmouseover=alert(1) onmousemove=\"alert(2)\" onclick=alert(3)>g<img src=\"
http://example.org\"/>oogle</a>";
final IPipedRenderer l_renderer;
l_renderer = new XssProtectionRenderer();
l_renderer.setParam(XssProtectionRenderer.IMAGES, true);
String l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"
http://www.google.de\" style=\"color:red\" rel=\"nofollow\">g<img src=\"
http://example.org\" />oogle</a>", l_strOutput);
l_renderer.reset();
l_renderer.setParam(XssProtectionRenderer.IMAGES, false);
l_strOutput = l_renderer.getOutput(ValueHolderFactory.getValueHolder(l_strUnsafeHTML));
assertEquals("xss<a href=\"
http://www.google.de\" style=\"color:red\" rel=\"nofollow\">google</a>", l_strOutput);
l_renderer.finish(true);
}
Sometimes the second assertion holds true (most of the times) and sometimes not. I'm however not doing something in parallel within the renderer (and I'm sure from debugging that HTMLSanitizer isn't doing something in parallel, too). Strange...