Revert of Add support for 'href' (w/o XLink NS) for various SVG elements

third_party/WebKit/Source/core/svg/UnsafeSVGAttributeSanitizationTest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // FIXME(dominicc): Poor confused check-webkit-style demands Attribute.h here.
 #include "core/dom/Attribute.h"
 
 #include "core/HTMLNames.h"
 #include "core/SVGNames.h"
 #include "core/XLinkNames.h"
@@ skipping 16 matching lines @@
 #include "wtf/Vector.h"
 #include "wtf/text/AtomicString.h"
 #include "wtf/text/WTFString.h"
 
 // Test that SVG content with JavaScript URLs is sanitized by removing
 // the URLs. This sanitization happens when the content is pasted or
 // drag-dropped into an editable element.
 //
 // There are two vectors for JavaScript URLs in SVG content:
 //
-// 1. Attributes, for example xlink:href/href in an <svg:a> element.
+// 1. Attributes, for example xlink:href in an <svg:a> element.
 // 2. Animations which set those attributes, for example
 //    <animate attributeName="xlink:href" values="javascript:...
 //
 // The following SVG elements, although related to animation, cannot
 // set JavaScript URLs:
 //
 // - 'discard' can only remove elements, not set their attributes
 // - 'animateMotion' does not use attribute name and produces floats
 // - 'animateTransform' can only animate transform lists
 
@@ skipping 24 matching lines @@
 
 // Integration tests.
 
 TEST(
     UnsafeSVGAttributeSanitizationTest,
     pasteAnchor_javaScriptHrefIsStripped)
 {
     OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
     static const char unsafeContent[] =
         "<svg xmlns='http://www.w3.org/2000/svg' "
-        "     width='1cm' height='1cm'>"
-        "  <a href='javascript:alert()'></a>"
-        "</svg>";
-    String sanitizedContent =
-        contentAfterPastingHTML(pageHolder.get(), unsafeContent);
-
-    EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
-        "We should have pasted *something*; the document is: " <<
-        sanitizedContent.utf8().data();
-    EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
-        "The JavaScript URL is unsafe and should have been stripped; "
-        "instead: " <<
-        sanitizedContent.utf8().data();
-}
-
-TEST(
-    UnsafeSVGAttributeSanitizationTest,
-    pasteAnchor_javaScriptXlinkHrefIsStripped)
-{
-    OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
-    static const char unsafeContent[] =
-        "<svg xmlns='http://www.w3.org/2000/svg' "
         "     xmlns:xlink='http://www.w3.org/1999/xlink'"
         "     width='1cm' height='1cm'>"
         "  <a xlink:href='javascript:alert()'></a>"
         "</svg>";
     String sanitizedContent =
         contentAfterPastingHTML(pageHolder.get(), unsafeContent);
 
     EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
         "We should have pasted *something*; the document is: " <<
         sanitizedContent.utf8().data();
     EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
         "The JavaScript URL is unsafe and should have been stripped; "
         "instead: " <<
         sanitizedContent.utf8().data();
 }
 
 TEST(
     UnsafeSVGAttributeSanitizationTest,
     pasteAnchor_javaScriptHrefIsStripped_caseAndEntityInProtocol)
 {
     OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
     static const char unsafeContent[] =
-        "<svg xmlns='http://www.w3.org/2000/svg' "
-        "     width='1cm' height='1cm'>"
-        "  <a href='j&#x41;vascriPT:alert()'></a>"
-        "</svg>";
-    String sanitizedContent =
-        contentAfterPastingHTML(pageHolder.get(), unsafeContent);
-
-    EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
-        "We should have pasted *something*; the document is: " <<
-        sanitizedContent.utf8().data();
-    EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
-        "The JavaScript URL is unsafe and should have been stripped; "
-        "instead: " <<
-        sanitizedContent.utf8().data();
-}
-
-TEST(
-    UnsafeSVGAttributeSanitizationTest,
-    pasteAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
-{
-    OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
-    static const char unsafeContent[] =
         "<svg xmlns='http://www.w3.org/2000/svg' "
         "     xmlns:xlink='http://www.w3.org/1999/xlink'"
         "     width='1cm' height='1cm'>"
         "  <a xlink:href='j&#x41;vascriPT:alert()'></a>"
         "</svg>";
     String sanitizedContent =
         contentAfterPastingHTML(pageHolder.get(), unsafeContent);
 
     EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
         "We should have pasted *something*; the document is: " <<
         sanitizedContent.utf8().data();
     EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
         "The JavaScript URL is unsafe and should have been stripped; "
         "instead: " <<
         sanitizedContent.utf8().data();
 }
 
 TEST(
     UnsafeSVGAttributeSanitizationTest,
     pasteAnchor_javaScriptHrefIsStripped_entityWithoutSemicolonInProtocol)
 {
     OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
     static const char unsafeContent[] =
         "<svg xmlns='http://www.w3.org/2000/svg' "
-        "     width='1cm' height='1cm'>"
-        "  <a href='jav&#x61script:alert()'></a>"
-        "</svg>";
-    String sanitizedContent =
-        contentAfterPastingHTML(pageHolder.get(), unsafeContent);
-
-    EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
-        "We should have pasted *something*; the document is: " <<
-        sanitizedContent.utf8().data();
-    EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
-        "The JavaScript URL is unsafe and should have been stripped; "
-        "instead: " <<
-        sanitizedContent.utf8().data();
-}
-
-TEST(
-    UnsafeSVGAttributeSanitizationTest,
-    pasteAnchor_javaScriptXlinkHrefIsStripped_entityWithoutSemicolonInProtocol)
-{
-    OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
-    static const char unsafeContent[] =
-        "<svg xmlns='http://www.w3.org/2000/svg' "
         "     xmlns:xlink='http://www.w3.org/1999/xlink'"
         "     width='1cm' height='1cm'>"
         "  <a xlink:href='jav&#x61script:alert()'></a>"
         "</svg>";
     String sanitizedContent =
         contentAfterPastingHTML(pageHolder.get(), unsafeContent);
 
     EXPECT_TRUE(sanitizedContent.contains("</a>")) <<
         "We should have pasted *something*; the document is: " <<
         sanitizedContent.utf8().data();
     EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
         "The JavaScript URL is unsafe and should have been stripped; "
         "instead: " <<
         sanitizedContent.utf8().data();
 }
 
 // Other sanitization integration tests are layout tests that use
 // document.execCommand('Copy') to source content that they later
 // paste. However SVG animation elements are not serialized when
 // copying, which means we can't test sanitizing these attributes in
 // layout tests: there is nowhere to source the unsafe content from.
 TEST(
     UnsafeSVGAttributeSanitizationTest,
     pasteAnimatedAnchor_javaScriptHrefIsStripped_caseAndEntityInProtocol)
 {
     OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
     static const char unsafeContent[] =
-        "<svg xmlns='http://www.w3.org/2000/svg' "
-        "     width='1cm' height='1cm'>"
-        "  <a href='https://www.google.com/'>"
-        "    <animate attributeName='href' values='evil;J&#x61VaSCRIpT:alert()'>"
-        "  </a>"
-        "</svg>";
-    String sanitizedContent =
-        contentAfterPastingHTML(pageHolder.get(), unsafeContent);
-
-    EXPECT_TRUE(sanitizedContent.contains("<a href=\"https://www.goo")) <<
-        "We should have pasted *something*; the document is: " <<
-        sanitizedContent.utf8().data();
-    EXPECT_FALSE(sanitizedContent.contains(":alert()")) <<
-        "The JavaScript URL is unsafe and should have been stripped; "
-        "instead: " <<
-        sanitizedContent.utf8().data();
-}
-
-TEST(
-    UnsafeSVGAttributeSanitizationTest,
-    pasteAnimatedAnchor_javaScriptXlinkHrefIsStripped_caseAndEntityInProtocol)
-{
-    OwnPtr<DummyPageHolder> pageHolder = DummyPageHolder::create(IntSize(1, 1));
-    static const char unsafeContent[] =
         "<svg xmlns='http://www.w3.org/2000/svg' "
         "     xmlns:xlink='http://www.w3.org/1999/xlink'"
         "     width='1cm' height='1cm'>"
         "  <a xlink:href='https://www.google.com/'>"
         "    <animate xmlns:ng='http://www.w3.org/1999/xlink' "
         "             attributeName='ng:href' values='evil;J&#x61VaSCRIpT:alert()'>"
         "  </a>"
         "</svg>";
     String sanitizedContent =
         contentAfterPastingHTML(pageHolder.get(), unsafeContent);
@@ skipping 19 matching lines @@
     RefPtrWillBeRawPtr<Document> document = Document::create();
     RefPtrWillBeRawPtr<SVGElement> target = SVGAElement::create(*document);
     RefPtrWillBeRawPtr<SVGAnimateElement> element = SVGAnimateElement::create(*document);
     element->setTargetElement(target.get());
     element->setAttributeName(XLinkNames::hrefAttr);
 
     // Sanity check that xlink:href was identified as a "string" attribute
     EXPECT_EQ(AnimatedString, element->animatedPropertyType());
 
     EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
-
-    element->setAttributeName(SVGNames::hrefAttr);
-
-    // Sanity check that href was identified as a "string" attribute
-    EXPECT_EQ(AnimatedString, element->animatedPropertyType());
-
-    EXPECT_FALSE(element->animatedPropertyTypeSupportsAddition());
 }
 
 TEST(
     UnsafeSVGAttributeSanitizationTest,
     stripScriptingAttributes_animateElement)
 {
     Vector<Attribute> attributes;
     attributes.append(Attribute(XLinkNames::hrefAttr, "javascript:alert()"));
-    attributes.append(Attribute(SVGNames::hrefAttr, "javascript:alert()"));
     attributes.append(Attribute(SVGNames::fromAttr, "/home"));
     attributes.append(Attribute(SVGNames::toAttr, "javascript:own3d()"));
 
     RefPtrWillBeRawPtr<Document> document = Document::create();
     RefPtrWillBeRawPtr<Element> element = SVGAnimateElement::create(*document);
     element->stripScriptingAttributes(attributes);
 
-    EXPECT_EQ(3ul, attributes.size()) <<
+    EXPECT_EQ(2ul, attributes.size()) <<
         "One of the attributes should have been stripped.";
     EXPECT_EQ(XLinkNames::hrefAttr, attributes[0].name()) <<
         "The 'xlink:href' attribute should not have been stripped from "
         "<animate> because it is not a URL attribute of <animate>.";
-    EXPECT_EQ(SVGNames::hrefAttr, attributes[1].name()) <<
-        "The 'href' attribute should not have been stripped from "
-        "<animate> because it is not a URL attribute of <animate>.";
-    EXPECT_EQ(SVGNames::fromAttr, attributes[2].name()) <<
+    EXPECT_EQ(SVGNames::fromAttr, attributes[1].name()) <<
         "The 'from' attribute should not have been strippef from <animate> "
         "because its value is innocuous.";
 }
 
 TEST(
-    UnsafeSVGAttributeSanitizationTest,
-    isJavaScriptURLAttribute_hrefContainingJavascriptURL)
-{
-    Attribute attribute(SVGNames::hrefAttr, "javascript:alert()");
-    RefPtrWillBeRawPtr<Document> document = Document::create();
-    RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document);
-    EXPECT_TRUE(
-        element->isJavaScriptURLAttribute(attribute)) <<
-        "The 'a' element should identify an 'href' attribute with a "
-        "JavaScript URL value as a JavaScript URL attribute";
-}
-
-TEST(
     UnsafeSVGAttributeSanitizationTest,
     isJavaScriptURLAttribute_xlinkHrefContainingJavascriptURL)
 {
     Attribute attribute(XLinkNames::hrefAttr, "javascript:alert()");
     RefPtrWillBeRawPtr<Document> document = Document::create();
     RefPtrWillBeRawPtr<Element> element = SVGAElement::create(*document);
     EXPECT_TRUE(
         element->isJavaScriptURLAttribute(attribute)) <<
         "The 'a' element should identify an 'xlink:href' attribute with a "
         "JavaScript URL value as a JavaScript URL attribute";
@@ skipping 61 matching lines @@
     Attribute fineAttribute(SVGNames::fromAttr, "hello, world!");
     RefPtrWillBeRawPtr<Document> document = Document::create();
     RefPtrWillBeRawPtr<Element> element = SVGSetElement::create(*document);
     EXPECT_FALSE(
         element->isSVGAnimationAttributeSettingJavaScriptURL(fineAttribute)) <<
         "The animate element should not identify a 'from' attribute with an "
         "innocuous value as setting a JavaScript URL.";
 }
 
 } // namespace blink