-
Notifications
You must be signed in to change notification settings - Fork 5
/
a-tag-test.js
81 lines (68 loc) · 2.15 KB
/
a-tag-test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
/**
* @license
* Copyright (c) 2017 The Polymer Project Authors. All rights reserved.
* This code may only be used under the BSD style license found at
* http://polymer.github.io/LICENSE.txt
* The complete set of authors may be found at
* http://polymer.github.io/AUTHORS.txt
* The complete set of contributors may be found at
* http://polymer.github.io/CONTRIBUTORS.txt
* Code distributed by Google as part of the polymer project is also
* subject to an additional IP rights grant found at
* http://polymer.github.io/PATENTS.txt
*/
goog.provide('a_tag_tests');
goog.require('goog.html.SafeUrl');
goog.require('goog.string.Const');
/**
* An array with the same set of elements as the input but whose values are
* lexicographically ordered and unique.
* @param {!Array.<string>} arr
* @return {!Array.<string>}
*/
function uniq(arr) {
return arr.slice().sort().filter(
function (element, index, array) {
return index === 0 || element !== array[index - 1];
});
}
suite(
'ATagtests',
function () {
var toCheck;
setup(function () {
toCheck = fixture('a-tag-tests');
});
teardown(function () {
var reports = uniq(
document.getElementById('resin-reports').textContent.split('\n'));
assert.equal(
'Failed to sanitize attribute of <a>: <a href="javascript:doEvil()">',
reports.join('\n').replace(/^\n+|\n+$/g, ''));
});
function getA(id) {
return toCheck.$$('#' + id);
}
test('innocuous_string', function() {
assert.equal(
getA('a1').href,
'http://example.com/ok');
});
test('safe_url', function() {
toCheck.safeUrl = goog.html.SafeUrl.fromConstant(
goog.string.Const.from('javascript:safe()'));
assert.equal(
getA('a2').href,
'javascript:safe()');
});
test('evil_payload', function() {
assert.equal(
getA('a3').href,
'about:invalid#zClosurez');
});
test('literal', function() {
assert.equal(
getA('a4').href,
'javascript:safe()');
});
});