Index: tests/lib_strong/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart |
diff --git a/tests/lib_strong/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart b/tests/lib_strong/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart |
index 84821ffb9c24cd33f43e16e7a920d46b59e52035..db130b151da8a2173178b2e749e7d38c044bf869 100644 |
--- a/tests/lib_strong/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart |
+++ b/tests/lib_strong/html/node_validator_important_if_you_suppress_make_the_bug_critical_test.dart |
@@ -17,8 +17,8 @@ import 'utils.dart'; |
void validateHtml(String html, String reference, NodeValidator validator) { |
var a = document.body.createFragment(html, validator: validator); |
- var b = document.body.createFragment(reference, |
- treeSanitizer: NodeTreeSanitizer.trusted); |
+ var b = document.body |
+ .createFragment(reference, treeSanitizer: NodeTreeSanitizer.trusted); |
// Prevent a false pass when both the html and the reference both get entirely |
// deleted, which is technically a match, but unlikely to be what we meant. |
@@ -42,7 +42,7 @@ class RecordingUriValidator implements UriPolicy { |
} |
void testHtml(String name, NodeValidator validator, String html, |
- [String reference]) { |
+ [String reference]) { |
test(name, () { |
if (reference == null) { |
reference = html; |
@@ -56,63 +56,44 @@ main() { |
group('DOM_sanitization', () { |
var validator = new NodeValidatorBuilder.common(); |
- testHtml('allows simple constructs', |
- validator, |
+ testHtml('allows simple constructs', validator, |
'<div class="baz">something</div>'); |
- testHtml('blocks unknown attributes', |
- validator, |
- '<div foo="baz">something</div>', |
- '<div>something</div>'); |
+ testHtml('blocks unknown attributes', validator, |
+ '<div foo="baz">something</div>', '<div>something</div>'); |
- testHtml('blocks custom element', |
- validator, |
- '<x-my-element>something</x-my-element>', |
- ''); |
+ testHtml('blocks custom element', validator, |
+ '<x-my-element>something</x-my-element>', ''); |
- testHtml('blocks custom is element', |
- validator, |
- '<div is="x-my-element">something</div>', |
- ''); |
+ testHtml('blocks custom is element', validator, |
+ '<div is="x-my-element">something</div>', ''); |
- testHtml('blocks body elements', |
- validator, |
- '<body background="s"></body>', |
- ''); |
+ testHtml( |
+ 'blocks body elements', validator, '<body background="s"></body>', ''); |
- testHtml('allows select elements', |
+ testHtml( |
+ 'allows select elements', |
validator, |
'<select>' |
- '<option>a</option>' |
+ '<option>a</option>' |
'</select>'); |
- testHtml('blocks sequential script elements', |
- validator, |
- '<div><script></script><script></script></div>', |
- '<div></div>'); |
+ testHtml('blocks sequential script elements', validator, |
+ '<div><script></script><script></script></div>', '<div></div>'); |
- testHtml('blocks inline styles', |
- validator, |
- '<div style="background: red"></div>', |
- '<div></div>'); |
+ testHtml('blocks inline styles', validator, |
+ '<div style="background: red"></div>', '<div></div>'); |
- testHtml('blocks namespaced attributes', |
- validator, |
- '<div ns:foo="foo"></div>', |
- '<div></div>'); |
+ testHtml('blocks namespaced attributes', validator, |
+ '<div ns:foo="foo"></div>', '<div></div>'); |
- testHtml('blocks namespaced common attributes', |
- validator, |
- '<div ns:class="foo"></div>', |
- '<div></div>'); |
+ testHtml('blocks namespaced common attributes', validator, |
+ '<div ns:class="foo"></div>', '<div></div>'); |
- testHtml('blocks namespaced common elements', |
- validator, |
- '<ns:div></ns:div>', |
- ''); |
+ testHtml('blocks namespaced common elements', validator, |
+ '<ns:div></ns:div>', ''); |
- testHtml('allows CDATA sections', |
- validator, |
+ testHtml('allows CDATA sections', validator, |
'<span>![CDATA[ some text ]]></span>'); |
test('sanitizes template contents', () { |
@@ -122,13 +103,12 @@ main() { |
'<div></div>' |
'<script></script>' |
'<img src="http://example.com/foo"/>' |
- '</template>'; |
+ '</template>'; |
var fragment = document.body.createFragment(html, validator: validator); |
var template = fragment.nodes.single as TemplateElement; |
- var expectedContent = document.body.createFragment( |
- '<div></div>' |
+ var expectedContent = document.body.createFragment('<div></div>' |
'<img/>'); |
validateNodeTree(template.content, expectedContent); |
@@ -153,10 +133,11 @@ main() { |
expect(child.childNodes.length, 0); |
}); |
- testHtml("sanitizes embed", |
- validator, |
- "<div><embed src='' type='application/x-shockwave-flash'></embed></div>", |
- "<div></div>"); |
+ testHtml( |
+ "sanitizes embed", |
+ validator, |
+ "<div><embed src='' type='application/x-shockwave-flash'></embed></div>", |
+ "<div></div>"); |
}); |
group('URI_sanitization', () { |
@@ -165,7 +146,6 @@ main() { |
checkUriPolicyCalls(String name, String html, String reference, |
List<String> expectedCalls) { |
- |
test(name, () { |
recorder.reset(); |
@@ -174,184 +154,118 @@ main() { |
}); |
} |
- checkUriPolicyCalls('a::href', |
- '<a href="s"></a>', |
- '<a></a>', |
- ['s']); |
+ checkUriPolicyCalls('a::href', '<a href="s"></a>', '<a></a>', ['s']); |
- checkUriPolicyCalls('area::href', |
- '<area href="s"></area>', |
- '<area></area>', |
- ['s']); |
+ checkUriPolicyCalls( |
+ 'area::href', '<area href="s"></area>', '<area></area>', ['s']); |
- checkUriPolicyCalls('blockquote::cite', |
+ checkUriPolicyCalls( |
+ 'blockquote::cite', |
'<blockquote cite="s"></blockquote>', |
'<blockquote></blockquote>', |
['s']); |
- checkUriPolicyCalls('command::icon', |
- '<command icon="s"/>', |
- '<command/>', |
- ['s']); |
- checkUriPolicyCalls('img::src', |
- '<img src="s"/>', |
- '<img/>', |
- ['s']); |
- checkUriPolicyCalls('input::src', |
- '<input src="s"/>', |
- '<input/>', |
- ['s']); |
- checkUriPolicyCalls('ins::cite', |
- '<ins cite="s"></ins>', |
- '<ins></ins>', |
- ['s']); |
- checkUriPolicyCalls('q::cite', |
- '<q cite="s"></q>', |
- '<q></q>', |
- ['s']); |
- checkUriPolicyCalls('video::poster', |
- '<video poster="s"/>', |
- '<video/>', |
- ['s']); |
+ checkUriPolicyCalls( |
+ 'command::icon', '<command icon="s"/>', '<command/>', ['s']); |
+ checkUriPolicyCalls('img::src', '<img src="s"/>', '<img/>', ['s']); |
+ checkUriPolicyCalls('input::src', '<input src="s"/>', '<input/>', ['s']); |
+ checkUriPolicyCalls( |
+ 'ins::cite', '<ins cite="s"></ins>', '<ins></ins>', ['s']); |
+ checkUriPolicyCalls('q::cite', '<q cite="s"></q>', '<q></q>', ['s']); |
+ checkUriPolicyCalls( |
+ 'video::poster', '<video poster="s"/>', '<video/>', ['s']); |
}); |
group('allowNavigation', () { |
var validator = new NodeValidatorBuilder()..allowNavigation(); |
- testHtml('allows anchor tags', |
- validator, |
- '<a href="#foo">foo</a>'); |
+ testHtml('allows anchor tags', validator, '<a href="#foo">foo</a>'); |
- testHtml('allows form elements', |
- validator, |
+ testHtml('allows form elements', validator, |
'<form method="post" action="/foo"></form>'); |
- testHtml('disallows script navigation', |
- validator, |
- '<a href="javascript:foo = 1">foo</a>', |
- '<a>foo</a>'); |
+ testHtml('disallows script navigation', validator, |
+ '<a href="javascript:foo = 1">foo</a>', '<a>foo</a>'); |
- testHtml('disallows cross-site navigation', |
- validator, |
- '<a href="http://example.com">example.com</a>', |
- '<a>example.com</a>'); |
+ testHtml('disallows cross-site navigation', validator, |
+ '<a href="http://example.com">example.com</a>', '<a>example.com</a>'); |
- testHtml('blocks other elements', |
- validator, |
- '<a href="#foo"><b>foo</b></a>', |
- '<a href="#foo"></a>'); |
+ testHtml('blocks other elements', validator, |
+ '<a href="#foo"><b>foo</b></a>', '<a href="#foo"></a>'); |
- testHtml('blocks tag extension', |
- validator, |
- '<a is="x-foo"></a>', |
- ''); |
+ testHtml('blocks tag extension', validator, '<a is="x-foo"></a>', ''); |
}); |
group('allowImages', () { |
var validator = new NodeValidatorBuilder()..allowImages(); |
- testHtml('allows images', |
- validator, |
+ testHtml('allows images', validator, |
'<img src="/foo.jpg" alt="something" width="100" height="100"/>'); |
- testHtml('blocks onerror', |
- validator, |
- '<img src="/foo.jpg" onerror="something"/>', |
- '<img src="/foo.jpg"/>'); |
+ testHtml('blocks onerror', validator, |
+ '<img src="/foo.jpg" onerror="something"/>', '<img src="/foo.jpg"/>'); |
- testHtml('enforces same-origin', |
- validator, |
- '<img src="http://example.com/foo.jpg"/>', |
- '<img/>'); |
+ testHtml('enforces same-origin', validator, |
+ '<img src="http://example.com/foo.jpg"/>', '<img/>'); |
}); |
group('allowCustomElement', () { |
var validator = new NodeValidatorBuilder() |
- ..allowCustomElement( |
- 'x-foo', |
- attributes: ['bar'], |
- uriAttributes: ['baz']) |
+ ..allowCustomElement('x-foo', attributes: ['bar'], uriAttributes: ['baz']) |
..allowHtml5(); |
- testHtml('allows custom elements', |
- validator, |
+ testHtml('allows custom elements', validator, |
'<x-foo bar="something" baz="/foo.jpg"></x-foo>'); |
+ testHtml('validates custom tag URIs', validator, |
+ '<x-foo baz="http://example.com/foo.jpg"></x-foo>', '<x-foo></x-foo>'); |
- testHtml('validates custom tag URIs', |
- validator, |
- '<x-foo baz="http://example.com/foo.jpg"></x-foo>', |
- '<x-foo></x-foo>'); |
+ testHtml('blocks type extensions', validator, '<div is="x-foo"></div>', ''); |
- testHtml('blocks type extensions', |
- validator, |
- '<div is="x-foo"></div>', |
- ''); |
- |
- testHtml('blocks tags on non-matching elements', |
- validator, |
- '<div bar="foo"></div>', |
- '<div></div>'); |
+ testHtml('blocks tags on non-matching elements', validator, |
+ '<div bar="foo"></div>', '<div></div>'); |
}); |
group('identify Uri attributes listed as attributes', () { |
var validator = new NodeValidatorBuilder() |
- ..allowElement( |
- 'a', |
- attributes: ['href']); |
+ ..allowElement('a', attributes: ['href']); |
- testHtml('reject different-origin link', |
- validator, |
+ testHtml( |
+ 'reject different-origin link', |
+ validator, |
'<a href="http://www.google.com/foo">Google-Foo</a>', |
'<a>Google-Foo</a>'); |
}); |
group('allowTagExtension', () { |
- var validator = new NodeValidatorBuilder() |
- ..allowTagExtension( |
- 'x-foo', |
- 'div', |
- attributes: ['bar'], |
- uriAttributes: ['baz']) |
+ var validator = new NodeValidatorBuilder() |
+ ..allowTagExtension('x-foo', 'div', |
+ attributes: ['bar'], uriAttributes: ['baz']) |
..allowHtml5(); |
- testHtml('allows tag extensions', |
- validator, |
+ testHtml('allows tag extensions', validator, |
'<div is="x-foo" bar="something" baz="/foo.jpg"></div>'); |
- testHtml('blocks custom elements', |
- validator, |
- '<x-foo></x-foo>', |
- ''); |
+ testHtml('blocks custom elements', validator, '<x-foo></x-foo>', ''); |
- testHtml('validates tag extension URIs', |
+ testHtml( |
+ 'validates tag extension URIs', |
validator, |
'<div is="x-foo" baz="http://example.com/foo.jpg"></div>', |
'<div is="x-foo"></div>'); |
- testHtml('blocks tags on non-matching elements', |
- validator, |
- '<div bar="foo"></div>', |
- '<div></div>'); |
+ testHtml('blocks tags on non-matching elements', validator, |
+ '<div bar="foo"></div>', '<div></div>'); |
- testHtml('blocks non-matching tags', |
- validator, |
- '<span is="x-foo">something</span>', |
- ''); |
+ testHtml('blocks non-matching tags', validator, |
+ '<span is="x-foo">something</span>', ''); |
validator = new NodeValidatorBuilder() |
- ..allowTagExtension( |
- 'x-foo', |
- 'div', |
- attributes: ['bar'], |
- uriAttributes: ['baz']) |
- ..allowTagExtension( |
- 'x-else', |
- 'div'); |
- |
- testHtml('blocks tags on non-matching custom elements', |
- validator, |
- '<div bar="foo" is="x-else"></div>', |
- '<div is="x-else"></div>'); |
+ ..allowTagExtension('x-foo', 'div', |
+ attributes: ['bar'], uriAttributes: ['baz']) |
+ ..allowTagExtension('x-else', 'div'); |
+ |
+ testHtml('blocks tags on non-matching custom elements', validator, |
+ '<div bar="foo" is="x-else"></div>', '<div is="x-else"></div>'); |
}); |
group('allowTemplating', () { |
@@ -359,22 +273,17 @@ main() { |
..allowTemplating() |
..allowHtml5(); |
- testHtml('allows templates', |
- validator, |
- '<template bind="{{a}}"></template>'); |
+ testHtml( |
+ 'allows templates', validator, '<template bind="{{a}}"></template>'); |
- testHtml('allows template attributes', |
- validator, |
+ testHtml('allows template attributes', validator, |
'<template bind="{{a}}" ref="foo" repeat="{{}}" if="{{}}" syntax="foo"></template>'); |
- testHtml('allows template attribute', |
- validator, |
+ testHtml('allows template attribute', validator, |
'<div template repeat="{{}}"></div>'); |
- testHtml('blocks illegal template attribute', |
- validator, |
- '<div template="foo" repeat="{{}}"></div>', |
- '<div></div>'); |
+ testHtml('blocks illegal template attribute', validator, |
+ '<div template="foo" repeat="{{}}"></div>', '<div></div>'); |
}); |
group('allowSvg', () { |
@@ -382,81 +291,80 @@ main() { |
..allowSvg() |
..allowTextElements(); |
- testHtml('allows basic SVG', |
- validator, |
- '<svg xmlns="http://www.w3.org/2000/svg' |
- 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
+ testHtml( |
+ 'allows basic SVG', |
+ validator, |
+ '<svg xmlns="http://www.w3.org/2000/svg' |
+ 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
'<image xlink:href="foo" data-foo="bar"/>' |
- '</svg>'); |
+ '</svg>'); |
- testHtml('blocks script elements', |
- validator, |
- '<svg xmlns="http://www.w3.org/2000/svg>' |
+ testHtml( |
+ 'blocks script elements', |
+ validator, |
+ '<svg xmlns="http://www.w3.org/2000/svg>' |
'<script></script>' |
- '</svg>', |
- ''); |
+ '</svg>', |
+ ''); |
- testHtml('blocks script elements but allows other', |
- validator, |
- '<svg xmlns="http://www.w3.org/2000/svg>' |
+ testHtml( |
+ 'blocks script elements but allows other', |
+ validator, |
+ '<svg xmlns="http://www.w3.org/2000/svg>' |
'<script></script><ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>' |
- '</svg>', |
- '<svg xmlns="http://www.w3.org/2000/svg>' |
+ '</svg>', |
+ '<svg xmlns="http://www.w3.org/2000/svg>' |
'<ellipse cx="200" cy="80" rx="100" ry="50"></ellipse>' |
- '</svg>'); |
+ '</svg>'); |
- testHtml('blocks script handlers', |
- validator, |
- '<svg xmlns="http://www.w3.org/2000/svg' |
- 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
+ testHtml( |
+ 'blocks script handlers', |
+ validator, |
+ '<svg xmlns="http://www.w3.org/2000/svg' |
+ 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
'<image xlink:href="foo" onerror="something"/>' |
- '</svg>', |
- '<svg xmlns="http://www.w3.org/2000/svg' |
- 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
+ '</svg>', |
+ '<svg xmlns="http://www.w3.org/2000/svg' |
+ 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
'<image xlink:href="foo"/>' |
- '</svg>'); |
+ '</svg>'); |
- testHtml('blocks foreignObject content', |
- validator, |
- '<svg xmlns="http://www.w3.org/2000/svg">' |
+ testHtml( |
+ 'blocks foreignObject content', |
+ validator, |
+ '<svg xmlns="http://www.w3.org/2000/svg">' |
'<foreignobject width="100" height="150">' |
- '<body xmlns="http://www.w3.org/1999/xhtml">' |
- '<div>Some content</div>' |
- '</body>' |
+ '<body xmlns="http://www.w3.org/1999/xhtml">' |
+ '<div>Some content</div>' |
+ '</body>' |
'</foreignobject>' |
'<b>42</b>' |
- '</svg>', |
- '<svg xmlns="http://www.w3.org/2000/svg">' |
+ '</svg>', |
+ '<svg xmlns="http://www.w3.org/2000/svg">' |
'<b>42</b>' |
- '</svg>'); |
+ '</svg>'); |
}); |
group('allowInlineStyles', () { |
var validator = new NodeValidatorBuilder() |
- ..allowTextElements() |
- ..allowInlineStyles(); |
+ ..allowTextElements() |
+ ..allowInlineStyles(); |
- testHtml('allows inline styles', |
- validator, |
+ testHtml('allows inline styles', validator, |
'<span style="background-color:red">text</span>'); |
- testHtml('blocks other attributes', |
- validator, |
- '<span class="red-span"></span>', |
- '<span></span>'); |
+ testHtml('blocks other attributes', validator, |
+ '<span class="red-span"></span>', '<span></span>'); |
validator = new NodeValidatorBuilder() |
- ..allowTextElements() |
- ..allowInlineStyles(tagName: 'span'); |
+ ..allowTextElements() |
+ ..allowInlineStyles(tagName: 'span'); |
- testHtml('scoped allows inline styles on spans', |
- validator, |
+ testHtml('scoped allows inline styles on spans', validator, |
'<span style="background-color:red">text</span>'); |
- testHtml('scoped blocks inline styles on LIs', |
- validator, |
- '<li style="background-color:red">text</li>', |
- '<li>text</li>'); |
+ testHtml('scoped blocks inline styles on LIs', validator, |
+ '<li style="background-color:red">text</li>', '<li>text</li>'); |
}); |
group('throws', () { |
@@ -478,8 +386,8 @@ main() { |
test('throws on invalid attributes', () { |
expect(() { |
- document.body.createFragment('<div foo="bar"></div>', |
- validator: validator); |
+ document.body |
+ .createFragment('<div foo="bar"></div>', validator: validator); |
}, validationError); |
}); |
@@ -493,11 +401,10 @@ main() { |
group('svg', () { |
test('parsing', () { |
- var svgText = |
- '<svg xmlns="http://www.w3.org/2000/svg' |
- 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
+ var svgText = '<svg xmlns="http://www.w3.org/2000/svg' |
+ 'xmlns:xlink="http://www.w3.org/1999/xlink">' |
'<image xlink:href="foo" data-foo="bar"/>' |
- '</svg>'; |
+ '</svg>'; |
var fragment = new DocumentFragment.svg(svgText); |
var element = fragment.nodes.first as Element; |
@@ -509,34 +416,36 @@ main() { |
group('dom_clobbering', () { |
var validator = new NodeValidatorBuilder.common(); |
- testHtml('DOM clobbering of attributes with single node', |
- validator, |
- "<form id='single_node_clobbering' onmouseover='alert(1)'><input name='attributes'>", |
- ""); |
- |
- testHtml('DOM clobbering of attributes with multiple nodes', |
- validator, |
- "<form onmouseover='alert(1)'><input name='attributes'>" |
- "<input name='attributes'>", |
- ""); |
- |
- testHtml('DOM clobbering of lastChild', |
- validator, |
- "<form><input name='lastChild'><input onmouseover='alert(1)'>", |
- ""); |
- |
- testHtml('DOM clobbering of both children and lastChild', |
- validator, |
- "<form><input name='lastChild'><input name='children'>" |
- "<input id='children'><input onmouseover='alert(1)'>", |
- ""); |
- |
- testHtml('DOM clobbering of both children and lastChild, different order', |
- validator, |
- "<form><input name='children'><input name='children'>" |
- "<input id='children' name='lastChild'>" |
- "<input id='bad' onmouseover='alert(1)'>", |
- ""); |
+ testHtml( |
+ 'DOM clobbering of attributes with single node', |
+ validator, |
+ "<form id='single_node_clobbering' onmouseover='alert(1)'><input name='attributes'>", |
+ ""); |
+ |
+ testHtml( |
+ 'DOM clobbering of attributes with multiple nodes', |
+ validator, |
+ "<form onmouseover='alert(1)'><input name='attributes'>" |
+ "<input name='attributes'>", |
+ ""); |
+ |
+ testHtml('DOM clobbering of lastChild', validator, |
+ "<form><input name='lastChild'><input onmouseover='alert(1)'>", ""); |
+ |
+ testHtml( |
+ 'DOM clobbering of both children and lastChild', |
+ validator, |
+ "<form><input name='lastChild'><input name='children'>" |
+ "<input id='children'><input onmouseover='alert(1)'>", |
+ ""); |
+ |
+ testHtml( |
+ 'DOM clobbering of both children and lastChild, different order', |
+ validator, |
+ "<form><input name='children'><input name='children'>" |
+ "<input id='children' name='lastChild'>" |
+ "<input id='bad' onmouseover='alert(1)'>", |
+ ""); |
test('tagName makes containing form invalid', () { |
var fragment = document.body.createFragment( |
@@ -554,9 +463,8 @@ main() { |
}); |
test('tagName without mouseover', () { |
- var fragment = document.body.createFragment( |
- "<form><input name='tagName'>", |
- validator: validator); |
+ var fragment = document.body |
+ .createFragment("<form><input name='tagName'>", validator: validator); |
var form = fragment.lastChild as FormElement; |
// If the tagName was clobbered, the sanitizer should have removed |
// the whole thing and form is null. |