Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(196)

Side by Side Diff: third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp

Issue 2531163004: Remove attributes that contain javascript from MHTML (Closed)
Patch Set: Address feedback Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google Inc. All rights reserved. 2 * Copyright (C) 2011 Google Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are 5 * modification, are permitted provided that the following conditions are
6 * met: 6 * met:
7 * 7 *
8 * * Redistributions of source code must retain the above copyright 8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above 10 * * Redistributions in binary form must reproduce the above
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
54 54
55 private: 55 private:
56 void didSerializeDataForFrame(const WebCString& data, 56 void didSerializeDataForFrame(const WebCString& data,
57 FrameSerializationStatus) final { 57 FrameSerializationStatus) final {
58 m_builder.append(data.data(), data.length()); 58 m_builder.append(data.data(), data.length());
59 } 59 }
60 60
61 StringBuilder m_builder; 61 StringBuilder m_builder;
62 }; 62 };
63 63
64 class SimpleMHTMLPartsGenerationDelegate
65 : public WebFrameSerializer::MHTMLPartsGenerationDelegate {
66 private:
67 bool shouldSkipResource(const WebURL&) final { return false; }
68
69 WebString getContentID(WebFrame*) final { return WebString(); }
70
71 WebFrameSerializerCacheControlPolicy cacheControlPolicy() final {
72 return WebFrameSerializerCacheControlPolicy::None;
73 }
74
75 bool useBinaryEncoding() final { return false; }
76 };
77
64 } // namespace 78 } // namespace
65 79
66 class WebFrameSerializerTest : public testing::Test { 80 class WebFrameSerializerTest : public testing::Test {
67 protected: 81 protected:
68 WebFrameSerializerTest() { m_helper.initialize(); } 82 WebFrameSerializerTest() { m_helper.initialize(); }
69 83
70 ~WebFrameSerializerTest() override { 84 ~WebFrameSerializerTest() override {
71 Platform::current()->getURLLoaderMockFactory()->unregisterAllURLs(); 85 Platform::current()->getURLLoaderMockFactory()->unregisterAllURLs();
72 WebCache::clear(); 86 WebCache::clear();
73 } 87 }
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
157 EXPECT_EQ(expectedHTML, actualHTML); 171 EXPECT_EQ(expectedHTML, actualHTML);
158 } 172 }
159 173
160 TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) { 174 TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {
161 String actualHTML = 175 String actualHTML =
162 serializeFile("http://www.test.com?--x--", "text_only_page.html"); 176 serializeFile("http://www.test.com?--x--", "text_only_page.html");
163 EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->", 177 EXPECT_EQ("<!-- saved from url=(0030)http://www.test.com/?-%2Dx-%2D -->",
164 actualHTML.substring(1, 60)); 178 actualHTML.substring(1, 60));
165 } 179 }
166 180
181 class WebFrameSerializerSanitizationTest : public WebFrameSerializerTest {
182 protected:
183 WebFrameSerializerSanitizationTest() {}
184
185 ~WebFrameSerializerSanitizationTest() override {}
186
187 String generateMHTMLParts(const String& url, const String& fileName) {
188 KURL parsedURL(ParsedURLString, url);
189 URLTestHelpers::registerMockedURLLoad(parsedURL, fileName,
190 "frameserialization/", "text/html");
191 FrameTestHelpers::loadFrame(mainFrameImpl(), url.utf8().data());
192 WebThreadSafeData result = WebFrameSerializer::generateMHTMLParts(
193 WebString("boundary"), mainFrameImpl(), &m_mhtmlDelegate);
194 return String(result.data(), result.size());
195 }
196
197 private:
198 SimpleMHTMLPartsGenerationDelegate m_mhtmlDelegate;
199 };
200
201 TEST_F(WebFrameSerializerSanitizationTest, RemoveInlineScriptInAttributes) {
202 String mhtml =
203 generateMHTMLParts("http://www.test.com", "script_in_attributes.html");
204 EXPECT_EQ(std::string::npos, mhtml.find("onload="));
205 EXPECT_EQ(std::string::npos, mhtml.find("onclick="));
206 EXPECT_EQ(std::string::npos, mhtml.find("href="));
207 EXPECT_EQ(std::string::npos, mhtml.find("from="));
208 EXPECT_EQ(std::string::npos, mhtml.find("to="));
209 EXPECT_EQ(std::string::npos, mhtml.find("javascript:"));
carlosk 2016/11/30 01:03:16 I think you should also test a few positive cases
jianli 2016/11/30 01:35:37 Done.
210 }
211
167 } // namespace blink 212 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698