OLD | NEW |
1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
4 | 4 |
5 /// This tests HTML validation and sanitization, which is very important | 5 /// This tests HTML validation and sanitization, which is very important |
6 /// for prevent XSS or other attacks. If you suppress this, or parts of it | 6 /// for prevent XSS or other attacks. If you suppress this, or parts of it |
7 /// please make it a critical bug and bring it to the attention of the | 7 /// please make it a critical bug and bring it to the attention of the |
8 /// dart:html maintainers. | 8 /// dart:html maintainers. |
9 library trusted_html_tree_sanitizer_test; | 9 import 'dart:js' as js; |
10 | |
11 import 'dart:html'; | 10 import 'dart:html'; |
12 import 'dart:svg' as svg; | 11 import 'dart:svg' as svg; |
13 import 'package:unittest/unittest.dart'; | 12 |
14 import 'package:unittest/html_individual_config.dart'; | 13 import 'package:expect/minitest.dart'; |
| 14 |
15 import 'utils.dart'; | 15 import 'utils.dart'; |
16 import 'dart:js' as js; | |
17 | 16 |
18 var oldAdoptNode; | 17 var oldAdoptNode; |
19 var jsDocument; | 18 var jsDocument; |
20 | 19 |
21 /// We want to verify that with the trusted sanitizer we are not | 20 /// We want to verify that with the trusted sanitizer we are not |
22 /// creating a document fragment. So make DocumentFragment operation | 21 /// creating a document fragment. So make DocumentFragment operation |
23 /// throw. | 22 /// throw. |
24 makeDocumentFragmentAdoptionThrow() { | 23 makeDocumentFragmentAdoptionThrow() { |
25 var document = js.context['document']; | 24 var document = js.context['document']; |
26 jsDocument = new js.JsObject.fromBrowserObject(document); | 25 jsDocument = new js.JsObject.fromBrowserObject(document); |
27 oldAdoptNode = jsDocument['adoptNode']; | 26 oldAdoptNode = jsDocument['adoptNode']; |
28 jsDocument['adoptNode'] = null; | 27 jsDocument['adoptNode'] = null; |
29 } | 28 } |
30 | 29 |
31 restoreOldAdoptNode() { | 30 restoreOldAdoptNode() { |
32 jsDocument['adoptNode'] = oldAdoptNode; | 31 jsDocument['adoptNode'] = oldAdoptNode; |
33 } | 32 } |
34 | 33 |
35 main() { | 34 main() { |
36 useHtmlIndividualConfiguration(); | |
37 | |
38 group('not_create_document_fragment', () { | 35 group('not_create_document_fragment', () { |
39 setUp(makeDocumentFragmentAdoptionThrow); | 36 setUp(makeDocumentFragmentAdoptionThrow); |
40 tearDown(restoreOldAdoptNode); | 37 tearDown(restoreOldAdoptNode); |
41 | 38 |
42 test('setInnerHtml', () { | 39 test('setInnerHtml', () { |
43 document.body.setInnerHtml('<div foo="baz">something</div>', | 40 document.body.setInnerHtml('<div foo="baz">something</div>', |
44 treeSanitizer: NodeTreeSanitizer.trusted); | 41 treeSanitizer: NodeTreeSanitizer.trusted); |
45 expect(document.body.innerHtml, '<div foo="baz">something</div>'); | 42 expect(document.body.innerHtml, '<div foo="baz">something</div>'); |
46 }); | 43 }); |
47 | 44 |
48 test("appendHtml", () { | 45 test("appendHtml", () { |
49 var oldStuff = document.body.innerHtml; | 46 var oldStuff = document.body.innerHtml; |
50 var newStuff = '<div rumplestiltskin="value">content</div>'; | 47 var newStuff = '<div rumplestiltskin="value">content</div>'; |
51 document.body.appendHtml(newStuff, | 48 document.body.appendHtml(newStuff, |
52 treeSanitizer: NodeTreeSanitizer.trusted); | 49 treeSanitizer: NodeTreeSanitizer.trusted); |
53 expect(document.body.innerHtml, oldStuff + newStuff); | 50 expect(document.body.innerHtml, oldStuff + newStuff); |
54 }); | 51 }); |
55 }); | 52 }); |
56 | 53 |
57 group('untrusted', () { | 54 group('untrusted', () { |
58 setUp(makeDocumentFragmentAdoptionThrow); | 55 setUp(makeDocumentFragmentAdoptionThrow); |
59 tearDown(restoreOldAdoptNode); | 56 tearDown(restoreOldAdoptNode); |
60 test('untrusted', () { | 57 test('untrusted', () { |
61 expect(() => document.body.innerHtml = "<p>anything</p>", throws); | 58 expect(() => document.body.innerHtml = "<p>anything</p>", throws); |
62 }); | 59 }); |
63 }); | 60 }); |
64 } | 61 } |
OLD | NEW |