Fix XSS issues in http_server's dir-listing and error-page.

pkg/http_server/test/virtual_directory_test.dart

Index: pkg/http_server/test/virtual_directory_test.dart
diff --git a/pkg/http_server/test/virtual_directory_test.dart b/pkg/http_server/test/virtual_directory_test.dart
index c04ec3414522e10bbc534d865dc28ea4015a3124..8c85a7a543bafa89437069cd869b6a668fb40f2c 100644
--- a/pkg/http_server/test/virtual_directory_test.dart
+++ b/pkg/http_server/test/virtual_directory_test.dart
@@ -99,7 +99,7 @@ void main() {
 
         return getAsString(virDir, '/')
           .then((result) {
-            expect(result, contains('Index of /'));
+            expect(result, contains('Index of &#x2F'));
           });
       });
 
@@ -112,7 +112,7 @@ void main() {
 
         return getAsString(virDir, '/')
           .then((result) {
-            expect(result, contains('Index of /'));
+            expect(result, contains('Index of &#x2F'));
           });
       });
 
@@ -125,7 +125,29 @@ void main() {
 
         return getAsString(virDir, '/')
           .then((result) {
-            expect(result, contains('Index of /'));
+            expect(result, contains('Index of &#x2F'));
+          });
+      });
+
+      testVirtualDir('encoded', (dir) {
+        var virDir = new VirtualDirectory(dir.path);
+        new Directory('${dir.path}/alert(\'hacked!\');').createSync();

[nweiz, 2014/04/04 18:06:37]

"/" isn't a great test case for HTML-escaping because it's not an HTML-active
character. Make sure you test "<", ">", and "&".

[Anders Johnsen, 2014/04/07 07:03:08]

Done.

+        virDir.allowDirectoryListing = true;
+
+        return getAsString(virDir, '/alert(\'hacked!\');')
+          .then((result) {
+            expect(result, contains('/alert('hacked!');/'));
+          });
+      });
+
+      testVirtualDir('encoded', (dir) {
+        var virDir = new VirtualDirectory(dir.path);
+        new Directory('${dir.path}/javascript:alert(document);"').createSync();
+        virDir.allowDirectoryListing = true;
+
+        return getAsString(virDir, '/')
+          .then((result) {
+            expect(result, contains('%2Fjavascript%3Aalert(document)%3B%22'));
           });
       });
 
@@ -137,17 +159,17 @@ void main() {
 
           return Future.wait([
               getAsString(virDir, '/').then(
-                  (s) => s.contains('recursive/')),
+                  (s) => s.contains('recursive/')),
               getAsString(virDir, '/').then(
                   (s) => !s.contains('../')),
               getAsString(virDir, '/').then(
-                  (s) => s.contains('Index of /')),
+                  (s) => s.contains('Index of /')),
               getAsString(virDir, '/recursive').then(
-                  (s) => s.contains('recursive/')),
+                  (s) => s.contains('recursive/')),
               getAsString(virDir, '/recursive').then(
-                  (s) => s.contains('../')),
+                  (s) => s.contains('../')),
               getAsString(virDir, '/recursive').then(
-                  (s) => s.contains('Index of /recursive'))])
+                  (s) => s.contains('Index of /recursive'))])
             .then((result) {
               expect(result, equals([true, true, true, true, true, true]));
             });