Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(737)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: tests/html/node_validator_test.dart

Issue 1077813002: Check for DOM clobbering attacks in sanitizing/node validation (Closed) Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « tests/html/html.status ('k') | tools/dom/src/Validators.dart » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: tests/html/node_validator_test.dart
diff --git a/tests/html/node_validator_test.dart b/tests/html/node_validator_test.dart
index 71ab679157adca2b2aa52428c79c5d15419f15fa..68940ce085d64114e86842bfd5f5d93eae5c215d 100644
--- a/tests/html/node_validator_test.dart
+++ b/tests/html/node_validator_test.dart
@@ -4,7 +4,6 @@
library validator_test;
-import 'dart:async';
import 'dart:html';
import 'dart:svg' as svg;
import 'package:unittest/unittest.dart';
@@ -19,6 +18,11 @@ void validateHtml(String html, String reference, NodeValidator validator) {
var b = document.body.createFragment(reference,
treeSanitizer: nullSanitizer);
+ // Prevent a false pass when both the html and the reference both get entirely
+ // deleted, which is technically a match, but unlikely to be what we meant.
+ if (reference != '') {
+ expect(b.childNodes.length > 0, isTrue);
+ }
validateNodeTree(a, b);
}
@@ -131,7 +135,7 @@ main() {
});
});
- group('URI sanitization', () {
+ group('URI_sanitization', () {
var recorder = new RecordingUriValidator();
var validator = new NodeValidatorBuilder()..allowHtml5(uriPolicy: recorder);
@@ -354,7 +358,16 @@ main() {
'<svg xmlns="http://www.w3.org/2000/svg>'
'<script></script>'
'</svg>',
- '<svg xmlns="http://www.w3.org/2000/svg></svg>');
+ '');
+
+ testHtml('blocks script elements but allows other',
+ validator,
+ '<svg xmlns="http://www.w3.org/2000/svg>'
+ '<script></script><ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>'
+ '</svg>',
+ '<svg xmlns="http://www.w3.org/2000/svg>'
+ '<ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>'
+ '</svg>');
testHtml('blocks script handlers',
validator,
@@ -456,4 +469,47 @@ main() {
expect(element.children[0] is svg.ImageElement, isTrue);
});
});
+
+ group('dom_clobbering', () {
+ var validator = new NodeValidatorBuilder.common();
+
+ testHtml('DOM clobbering of attributes with single node',
+ validator,
+ "<form onmouseover='alert(1)'><input name='attributes'>",
+ "");
+
+ testHtml('DOM clobbering of attributes with multiple nodes',
+ validator,
+ "<form onmouseover='alert(1)'><input name='attributes'>"
+ "<input name='attributes'>",
+ "");
+
+ testHtml('DOM clobbering of lastChild',
+ validator,
+ "<form><input name='lastChild'><input onmouseover='alert(1)'>",
+ "");
+
+ testHtml('DOM clobbering of both children and lastChild',
+ validator,
+ "<form><input name='lastChild'><input name='children'>"
+ "<input id='children'><input onmouseover='alert(1)'>",
+ "");
+
+ testHtml('DOM clobbering of both children and lastChild, different order',
+ validator,
+ "<form><input name='children'><input name='children'>"
+ "<input id='children' name='lastChild'>"
+ "<input id='bad' onmouseover='alert(1)'>",
+ "");
+
+ testHtml('tagName makes containing form invalid',
+ validator,
+ "<form onmouseover='alert(2)'><input name='tagName'>",
+ "");
+
+ testHtml('tagName without mouseover',
+ validator,
+ "<form><input name='tagName'>",
+ "");
+ });
}
« no previous file with comments | « tests/html/html.status ('k') | tools/dom/src/Validators.dart » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698