| Index: third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
|
| diff --git a/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp b/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
|
| index 9e1caf5b6438832051464a5d05e4d8ee9a5d22ff..468e236bc0b3d303436561a3a4e1741d26c6d2a6 100644
|
| --- a/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
|
| +++ b/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp
|
| @@ -61,6 +61,20 @@ class SimpleWebFrameSerializerClient final : public WebFrameSerializerClient {
|
| StringBuilder m_builder;
|
| };
|
|
|
| +class SimpleMHTMLPartsGenerationDelegate
|
| + : public WebFrameSerializer::MHTMLPartsGenerationDelegate {
|
| + private:
|
| + bool shouldSkipResource(const WebURL&) final { return false; }
|
| +
|
| + WebString getContentID(WebFrame*) final { return WebString("<cid>"); }
|
| +
|
| + WebFrameSerializerCacheControlPolicy cacheControlPolicy() final {
|
| + return WebFrameSerializerCacheControlPolicy::None;
|
| + }
|
| +
|
| + bool useBinaryEncoding() final { return false; }
|
| +};
|
| +
|
| } // namespace
|
|
|
| class WebFrameSerializerTest : public testing::Test {
|
| @@ -164,4 +178,46 @@ TEST_F(WebFrameSerializerTest, FromUrlWithMinusMinus) {
|
| actualHTML.substring(1, 60));
|
| }
|
|
|
| +class WebFrameSerializerSanitizationTest : public WebFrameSerializerTest {
|
| + protected:
|
| + WebFrameSerializerSanitizationTest() {}
|
| +
|
| + ~WebFrameSerializerSanitizationTest() override {}
|
| +
|
| + String generateMHTMLParts(const String& url, const String& fileName) {
|
| + KURL parsedURL(ParsedURLString, url);
|
| + URLTestHelpers::registerMockedURLLoad(parsedURL, fileName,
|
| + "frameserialization/", "text/html");
|
| + FrameTestHelpers::loadFrame(mainFrameImpl(), url.utf8().data());
|
| + WebThreadSafeData result = WebFrameSerializer::generateMHTMLParts(
|
| + WebString("boundary"), mainFrameImpl(), &m_mhtmlDelegate);
|
| + return String(result.data(), result.size());
|
| + }
|
| +
|
| + private:
|
| + SimpleMHTMLPartsGenerationDelegate m_mhtmlDelegate;
|
| +};
|
| +
|
| +TEST_F(WebFrameSerializerSanitizationTest, RemoveInlineScriptInAttributes) {
|
| + String mhtml =
|
| + generateMHTMLParts("http://www.test.com", "script_in_attributes.html");
|
| +
|
| + // These scripting attributes should be removed.
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("onload="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("ONLOAD="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("onclick="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("href="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("from="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("to="));
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("javascript:"));
|
| +
|
| + // These non-scripting attributes should remain intact.
|
| + EXPECT_NE(WTF::kNotFound, mhtml.find("class="));
|
| + EXPECT_NE(WTF::kNotFound, mhtml.find("id="));
|
| +
|
| + // srcdoc attribute of frame element should be replaced with src attribute.
|
| + EXPECT_EQ(WTF::kNotFound, mhtml.find("srcdoc="));
|
| + EXPECT_NE(WTF::kNotFound, mhtml.find("src="));
|
| +}
|
| +
|
| } // namespace blink
|
|
|