Context Navigation

source: Dev/trunk/src/client/dojox/secure/tests/DOM.js

Last change on this file was 483, checked in by hendrikvanantwerpen, 11 years ago
Added Dojo 1.9.3 release.
File size: 5.1 KB

Rev	Line
[483]	1	dojo.provide("dojox.secure.tests.DOM");
	2	dojo.require("dojox.secure.DOM");
	3
	4	doh.register("dojox.secure.tests.DOM.good",
	5	[
	6	function setup(){
	7	var div = document.createElement("div");
	8	document.body.appendChild(div);
	9	div.innerHTML = "Sandboxed div:";
	10	div.style.position = "absolute";
	11	div.style.top = "100px";
	12	div.style.left = "100px";
	13	div.style.backgroundColor = "red";
	14	div.style.color = "white";
	15	var container = document.createElement("div");
	16	container.style.backgroundColor = "cyan";
	17	container.style.color = "black";
	18	div.appendChild(container);
	19	wrap = dojox.secure.DOM(container);
	20	securedElement = wrap(container);
	21	console.log("securedElement",securedElement);
	22	securedDoc = securedElement.ownerDocument;
	23	console.log("securedDoc",securedDoc);
	24	},
	25	function innerHTML(t){
	26	securedElement.innerHTML = "Hi there";
	27	t.assertEqual("Hi there",securedElement.data__.innerHTML);
	28	},
	29	function docWrite(t){
	30	securedDoc.write("<div style='color:red'>written</div>");
	31	console.log("wrote");
	32	securedDoc.close();
	33	t.t(securedElement.data__.innerHTML.match(/written/));
	34	},
	35	function addNode(t){
	36	var newDiv = securedDoc.createElement("div");
	37	console.log("wrapped ",newDiv.data__);
	38	newDiv.innerHTML = "inner div";
	39	console.log("style ",newDiv.style.data__);
	40	newDiv.style.color="blue";
	41	console.log('appendChild ' + securedElement.appendChild);
	42	securedElement.appendChild(newDiv);
	43	t.t(securedElement.data__.innerHTML.match(/inner/));
	44	},
	45	/*function addStyleTag(t){
	46	securedElement.innerHTML = "<style>div {color:green}</style><div>should be green</div>";
	47	console.log('after style tag' + securedElement.innerHTML);
	48	t.t(securedElement.innerHTML.match(/color/));
	49	},*/
	50	function addOnclickHandler(t){
	51	securedElement.addEventListener("click",function(event) {
	52	alert('proper click handler');
	53	});
	54
	55	}
	56	]);
	57
	58	function violater(func) {
	59	return {name: func.name,
	60	runTest: function(t) {
	61	var insecure;
	62	try {
	63	func(t);
	64	insecure = true;
	65	}catch(e){
	66	console.log("successfully threw error",e);
	67	}
	68	t.f(insecure);
	69	}};
	70	}
	71	doh.register("dojox.secure.tests.DOM.bad",
	72	[
	73	function parentNode(t){
	74	t.f(securedElement.parentNode);
	75	},
	76	function innerHTMLScript(t){
	77	try {
	78	securedElement.innerHTML = "<script>bad=true</script>";
	79	}catch(e){}
	80	t.t(typeof bad == 'undefined');
	81	},
	82	function innerHTMLScript2(t){
	83	try{
	84	securedElement.innerHTML = '</script><script>bad=true;//';
	85	}catch(e){}
	86	t.t(typeof bad == 'undefined');
	87	},
	88	function writeScript(t){
	89	try{
	90	securedDoc.write("<script>bad=true;</script>");
	91	}catch(e){}
	92	t.t(typeof bad == 'undefined');
	93	},
	94	function appendScript(t){
	95	try {
	96	var script = securedDoc.createElement('script');
	97	script.appendChild(securedDoc.createTextNode(
	98	'bad=true'));
	99	securedElement.appendChild(script);
	100	}
	101	catch(e) {
	102
	103	}
	104	t.t(typeof bad == 'undefined');
	105	},
	106	function cssExpression(t) {
	107	if (dojo.isIE) {
	108	securedElement.innerHTML = '<div id="oDiv" style="left:expression((bad=true), 0)">Example DIV</div>';
	109	t.t(typeof bad == 'undefined');
	110	}
	111	else {
	112	try{
	113	securedElement.innerHTML = '<input style=\'-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");\'>';
	114	}catch(e){}
	115
	116	t.f(securedElement.innerHTML.match(/mozilla/))
	117	}
	118
	119	},
	120	function cssExpression2(t) {
	121	if (dojo.isIE) {
	122	securedElement.style.left = 'expression(alert("hello"), 0)';
	123	t.f(securedElement.style.left.match(/alert/));
	124	}
	125	else {
	126	try {
	127	securedElement.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")';
	128	}catch(e){}
	129
	130	}
	131	},
	132	function cssExpression3(t) {
	133	if (dojo.isIE) {
	134	securedElement.style.behavior = 'url(a1.htc)';
	135	t.f(securedElement.style.behavior);
	136	}
	137	else {
	138
	139	}
	140	},
	141	/*violater(function addStyleTag(t) {
	142	securedElement.innerHTML = "<style>div {color:expression(alert(\"hello\")}</style><div>test</div>";
	143	}),
	144	violater(function addStyleTag2(t) {
	145	securedElement.innerHTML = "<style>@import 'unsafe.css'</style><div>unsafe css</div>";
	146	}),*/
	147	function addJavaScriptHref(t) {
	148	securedElement.innerHTML = "<a href='javascript:alert(3)'>illegal link</a>";
	149	},
	150	/*violater(function addNullCharSrc(t) {
	151	securedElement.innerHTML = "<a href='java�script:alert(3)'>illegal link</a>";
	152	}),*/
	153	function addOnclickHandler(t) {
	154	try{
	155	securedElement.innerHTML = "<div onclick='alert(4)'>illegal link</div>";
	156	}catch(e){}
	157
	158	t.f(securedElement.innerHTML.match(/alert/));
	159	},
	160	function confusingHTML(t) {
	161	try {
	162	securedElement.innerHTML = '<div x="\"><img onload=alert(42)src=http://json.org/img/json160.gif>"></div>';
	163	}catch(e){}
	164
	165	t.f(securedElement.innerHTML.match(/alert/));
	166	},
	167	function confusingHTML2(t) {
	168	try {
	169	securedElement.innerHTML = '<iframe/src="javascript:alert(42)"></iframe>';
	170	}catch(e){}
	171
	172	t.f(securedElement.innerHTML.match(/alert/));
	173	},
	174	function confusingHTML2(t) {
	175	try{
	176	securedElement.innerHTML = '<iframe/ "onload=alert(/XSS/)></iframe>';
	177	}catch(e){}
	178
	179	t.f(securedElement.innerHTML.match(/alert/));
	180	}
	181
	182	]);
	183

Note: See TracBrowser for help on using the repository browser.

Download in other formats: