Check for DOM clobbering attacks in sanitizing/node validation

tests/html/node_validator_test.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 library validator_test;
 
-import 'dart:async';
 import 'dart:html';
 import 'dart:svg' as svg;
 import 'package:unittest/unittest.dart';
 import 'package:unittest/html_individual_config.dart';
 import 'utils.dart';
 
 
 var nullSanitizer = new NullTreeSanitizer();
 
 void validateHtml(String html, String reference, NodeValidator validator) {
   var a = document.body.createFragment(html, validator: validator);
   var b = document.body.createFragment(reference,
       treeSanitizer: nullSanitizer);
 
+  // Prevent a false pass when both the html and the reference both get entirely
+  // deleted, which is technically a match, but unlikely to be what we meant.
+  if (reference != '') {
+    expect(b.childNodes.length > 0, isTrue);
+  }
   validateNodeTree(a, b);
 }
 
 class RecordingUriValidator implements UriPolicy {
   final List<String> calls = <String>[];
 
   bool allowsUri(String uri) {
     calls.add('$uri');
     return false;
   }
@@ skipping 92 matching lines @@
       var template = fragment.nodes.single;
 
       var expectedContent = document.body.createFragment(
           '<div></div>'
           '<img/>');
 
       validateNodeTree(template.content, expectedContent);
     });
   });
 
-  group('URI sanitization', () {
+  group('URI_sanitization', () {
     var recorder = new RecordingUriValidator();
     var validator = new NodeValidatorBuilder()..allowHtml5(uriPolicy: recorder);
 
     checkUriPolicyCalls(String name, String html, String reference,
         List<String> expectedCalls) {
 
       test(name, () {
         recorder.reset();
 
         validateHtml(html, reference, validator);
@@ skipping 202 matching lines @@
       '<svg xmlns="http://www.w3.org/2000/svg'
           'xmlns:xlink="http://www.w3.org/1999/xlink">'
         '<image xlink:href="foo" data-foo="bar"/>'
       '</svg>');
 
     testHtml('blocks script elements',
       validator,
       '<svg xmlns="http://www.w3.org/2000/svg>'
         '<script></script>'
       '</svg>',
-      '<svg xmlns="http://www.w3.org/2000/svg></svg>');
+      '');
+
+    testHtml('blocks script elements but allows other',
+      validator,
+      '<svg xmlns="http://www.w3.org/2000/svg>'
+        '<script></script><ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>'
+      '</svg>',
+      '<svg xmlns="http://www.w3.org/2000/svg>'
+        '<ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>'
+      '</svg>');
 
     testHtml('blocks script handlers',
       validator,
       '<svg xmlns="http://www.w3.org/2000/svg'
           'xmlns:xlink="http://www.w3.org/1999/xlink">'
         '<image xlink:href="foo" onerror="something"/>'
       '</svg>',
       '<svg xmlns="http://www.w3.org/2000/svg'
           'xmlns:xlink="http://www.w3.org/1999/xlink">'
         '<image xlink:href="foo"/>'
@@ skipping 81 matching lines @@
             'xmlns:xlink="http://www.w3.org/1999/xlink">'
           '<image xlink:href="foo" data-foo="bar"/>'
         '</svg>';
 
       var fragment = new DocumentFragment.svg(svgText);
       var element = fragment.nodes.first;
       expect(element is svg.SvgSvgElement, isTrue);
       expect(element.children[0] is svg.ImageElement, isTrue);
     });
   });
+
+  group('dom_clobbering', () {
+    var validator = new NodeValidatorBuilder.common();
+
+    testHtml('DOM clobbering of attributes with single node',
+    validator,
+    "<form onmouseover='alert(1)'><input name='attributes'>",
+    "");
+
+    testHtml('DOM clobbering of attributes with multiple nodes',
+    validator,
+    "<form onmouseover='alert(1)'><input name='attributes'>"
+    "<input name='attributes'>",
+    "");
+
+    testHtml('DOM clobbering of lastChild',
+    validator,
+    "<form><input name='lastChild'><input onmouseover='alert(1)'>",
+    "");
+
+    testHtml('DOM clobbering of both children and lastChild',
+    validator,
+    "<form><input name='lastChild'><input name='children'>"
+    "<input id='children'><input onmouseover='alert(1)'>",
+    "");
+
+    testHtml('DOM clobbering of both children and lastChild, different order',
+    validator,
+    "<form><input name='children'><input name='children'>"
+    "<input id='children' name='lastChild'>"
+    "<input id='bad' onmouseover='alert(1)'>",
+    "");
+
+    testHtml('tagName makes containing form invalid',
+    validator,
+    "<form onmouseover='alert(2)'><input name='tagName'>",
+    "");
+
+    testHtml('tagName without mouseover',
+    validator,
+    "<form><input name='tagName'>",
+    "");
+  });
 }