third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp - Issue 2531163004: Remove attributes that contain javascript from MHTML

Side by Side Diff: third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp

Issue 2531163004: Remove attributes that contain javascript from MHTML (Closed)

Patch Set: Address final feedback Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/Source/web/WebFrameSerializer.cpp ('k') | third_party/WebKit/Source/web/tests/data/frameserialization/script_in_attributes.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011 Google Inc. All rights reserved.	2 * Copyright (C) 2011 Google Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions are	5 * modification, are permitted provided that the following conditions are

6 * met:	6 * met:

7 *	7 *

8 * * Redistributions of source code must retain the above copyright	8 * * Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.	9 * notice, this list of conditions and the following disclaimer.

10 * * Redistributions in binary form must reproduce the above	10 * * Redistributions in binary form must reproduce the above

(...skipping 43 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
54	54

55 private:	55 private:

56 void didSerializeDataForFrame(const WebCString& data,	56 void didSerializeDataForFrame(const WebCString& data,

57 FrameSerializationStatus) final {	57 FrameSerializationStatus) final {

58 m_builder.append(data.data(), data.length());	58 m_builder.append(data.data(), data.length());

59 }	59 }

60	60

61 StringBuilder m_builder;	61 StringBuilder m_builder;

62 };	62 };

63	63

	64 class SimpleMHTMLPartsGenerationDelegate

	65 : public WebFrameSerializer::MHTMLPartsGenerationDelegate {

	66 private:

	67 bool shouldSkipResource(const WebURL&) final { return false; }

	68

	69 WebString getContentID(WebFrame*) final { return WebString("<cid>"); }

	70

	71 WebFrameSerializerCacheControlPolicy cacheControlPolicy() final {

	72 return WebFrameSerializerCacheControlPolicy::None;

	73 }

	74

	75 bool useBinaryEncoding() final { return false; }

	76 };

	77

64 } // namespace	78 } // namespace

65	79

66 class WebFrameSerializerTest : public testing::Test {	80 class WebFrameSerializerTest : public testing::Test {

67 protected:	81 protected:

68 WebFrameSerializerTest() { m_helper.initialize(); }	82 WebFrameSerializerTest() { m_helper.initialize(); }

69	83

70 ~WebFrameSerializerTest() override {	84 ~WebFrameSerializerTest() override {

71 Platform::current()->getURLLoaderMockFactory()->unregisterAllURLs();	85 Platform::current()->getURLLoaderMockFactory()->unregisterAllURLs();

72 WebCache::clear();	86 WebCache::clear();

73 }	87 }

(...skipping 83 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
157 EXPECT_EQ(expectedHTML, actualHTML);	171 EXPECT_EQ(expectedHTML, actualHTML);

158 }	172 }

159	173

160 TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {	174 TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {

161 String actualHTML =	175 String actualHTML =

162 serializeFile("http://www.test.com?--x--", "text_only_page.html");	176 serializeFile("http://www.test.com?--x--", "text_only_page.html");

163 EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->",	177 EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->",

164 actualHTML.substring(1, 60));	178 actualHTML.substring(1, 60));

165 }	179 }

166	180

	181 class WebFrameSerializerSanitizationTest : public WebFrameSerializerTest {

	182 protected:

	183 WebFrameSerializerSanitizationTest() {}

	184

	185 ~WebFrameSerializerSanitizationTest() override {}

	186

	187 String generateMHTMLParts(const String& url, const String& fileName) {

	188 KURL parsedURL(ParsedURLString, url);

	189 URLTestHelpers::registerMockedURLLoad(parsedURL, fileName,

	190 "frameserialization/", "text/html");

	191 FrameTestHelpers::loadFrame(mainFrameImpl(), url.utf8().data());

	192 WebThreadSafeData result = WebFrameSerializer::generateMHTMLParts(

	193 WebString("boundary"), mainFrameImpl(), &m_mhtmlDelegate);

	194 return String(result.data(), result.size());

	195 }

	196

	197 private:

	198 SimpleMHTMLPartsGenerationDelegate m_mhtmlDelegate;

	199 };

	200

	201 TEST_F(WebFrameSerializerSanitizationTest, RemoveInlineScriptInAttributes) {

	202 String mhtml =

	203 generateMHTMLParts("http://www.test.com", "script_in_attributes.html");

	204

	205 // These scripting attributes should be removed.

	206 EXPECT_EQ(WTF::kNotFound, mhtml.find("onload="));

	207 EXPECT_EQ(WTF::kNotFound, mhtml.find("ONLOAD="));

	208 EXPECT_EQ(WTF::kNotFound, mhtml.find("onclick="));

	209 EXPECT_EQ(WTF::kNotFound, mhtml.find("href="));

	210 EXPECT_EQ(WTF::kNotFound, mhtml.find("from="));

	211 EXPECT_EQ(WTF::kNotFound, mhtml.find("to="));

	212 EXPECT_EQ(WTF::kNotFound, mhtml.find("javascript:"));

	213

	214 // These non-scripting attributes should remain intact.

	215 EXPECT_NE(WTF::kNotFound, mhtml.find("class="));

	216 EXPECT_NE(WTF::kNotFound, mhtml.find("id="));

	217

	218 // srcdoc attribute of frame element should be replaced with src attribute.

	219 EXPECT_EQ(WTF::kNotFound, mhtml.find("srcdoc="));

	220 EXPECT_NE(WTF::kNotFound, mhtml.find("src="));

	221 }

	222

167 } // namespace blink	223 } // namespace blink

OLD	NEW