Context Navigation

source: Dev/branches/rest-dojo-ui/client/dojox/secure/tests/sandbox.js @ 256

Last change on this file since 256 was 256, checked in by hendrikvanantwerpen, 13 years ago
Reworked project structure based on REST interaction and Dojo library. As soon as this is stable, the old jQueryUI branch can be removed (it's kept for reference).
File size: 3.1 KB

Line
1	dojo.provide("dojox.secure.tests.sandbox");
2
3	doh.register("dojox.secure.tests.sandbox.good",
4	[
5	function setup(){
6	var div = document.createElement("div");
7	document.body.appendChild(div);
8	div.innerHTML = "Sandboxed div:";
9	div.style.position = "absolute";
10	div.style.top = "100px";
11	div.style.left = "100px";
12	div.style.backgroundColor = "red";
13	div.style.color = "white";
14	container = document.createElement("div");
15	container.style.backgroundColor = "cyan";
16	container.style.color = "black";
17	div.appendChild(container);
18	},
19	function innerHTML(t){
20	dojox.secure.evaluate("element.innerHTML = 'Hi there';",container);
21	t.assertEqual("Hi there",container.innerHTML);
22	},
23	function docWrite(t){
24	dojox.secure.evaluate("document.write(\"<div style='color:red'>written</div>\");",container);
25	t.t(container.innerHTML.match(/written/));
26	}
27	]);
28
29	function violater(func) {
30	return {name: func.name,
31	runTest: function(t) {
32	var insecure;
33	try {
34	func(t);
35	insecure = true;
36	}catch(e){
37	console.log("successfully threw error",e);
38	}
39	t.f(insecure);
40	}};
41	}
42	doh.register("dojox.secure.tests.sandbox.bad",
43	[
44	function parentNode(t){
45	t.f(dojox.secure.evaluate("document.body",container));
46	},
47	function innerHTMLScript(t){
48	try {
49	dojox.secure.evaluate("bad = true",container);
50	}catch(e){}
51	t.t(typeof bad == 'undefined');
52	}
53	/*function innerHTMLScript2(t){
54	try{
55	securedElement.innerHTML = '</script><script>bad=true;//';
56	}catch(e){}
57	t.t(typeof bad == 'undefined');
58	},
59	function writeScript(t){
60	try{
61	securedDoc.write("<script>bad=true;</script>");
62	}catch(e){}
63	t.t(typeof bad == 'undefined');
64	},
65	function appendScript(t){
66	try {
67	var script = securedDoc.createElement('script');
68	script.appendChild(securedDoc.createTextNode(
69	'bad=true'));
70	securedElement.appendChild(script);
71	}
72	catch(e) {
73
74	}
75	t.t(typeof bad == 'undefined');
76	},
77	function cssExpression(t) {
78	if (dojo.isIE) {
79	securedElement.innerHTML = '<div id="oDiv" style="left:expression((bad=true), 0)">Example DIV</div>';
80	t.t(typeof bad == 'undefined');
81	}
82	else {
83	try{
84	securedElement.innerHTML = '<input style=\'-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");\'>';
85	}catch(e){}
86
87	t.f(securedElement.innerHTML.match(/mozilla/))
88	}
89
90	},
91	function cssExpression2(t) {
92	if (dojo.isIE) {
93	securedElement.style.left = 'expression(alert("hello"), 0)';
94	t.f(securedElement.style.left.match(/alert/));
95	}
96	else {
97	try {
98	securedElement.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")';
99	}catch(e){}
100
101	}
102	},
103	function cssExpression3(t) {
104	if (dojo.isIE) {
105	securedElement.style.behavior = 'url(a1.htc)';
106	t.f(securedElement.style.behavior);
107	}
108	else {
109
110	}
111	},
112	violater(function addStyleTag(t) {
113	securedElement.innerHTML = "<style>div {color:expression(alert(\"hello\")}</style><div>test</div>";
114	}),
115	violater(function addStyleTag2(t) {
116	securedElement.innerHTML = "<style>@import 'unsafe.css'</style><div>unsafe css</div>";
117	})*/
118	]);
119

Note: See TracBrowser for help on using the repository browser.

Download in other formats: