Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: Dev/trunk/src/client/dojox/secure/tests/DOM.js @ 532

Last change on this file since 532 was 483, checked in by hendrikvanantwerpen, 11 years ago
Added Dojo 1.9.3 release.
File size: 5.1 KB

Line
1	dojo.provide("dojox.secure.tests.DOM");
2	dojo.require("dojox.secure.DOM");
3
4	doh.register("dojox.secure.tests.DOM.good",
5	[
6	function setup(){
7	var div = document.createElement("div");
8	document.body.appendChild(div);
9	div.innerHTML = "Sandboxed div:";
10	div.style.position = "absolute";
11	div.style.top = "100px";
12	div.style.left = "100px";
13	div.style.backgroundColor = "red";
14	div.style.color = "white";
15	var container = document.createElement("div");
16	container.style.backgroundColor = "cyan";
17	container.style.color = "black";
18	div.appendChild(container);
19	wrap = dojox.secure.DOM(container);
20	securedElement = wrap(container);
21	console.log("securedElement",securedElement);
22	securedDoc = securedElement.ownerDocument;
23	console.log("securedDoc",securedDoc);
24	},
25	function innerHTML(t){
26	securedElement.innerHTML = "Hi there";
27	t.assertEqual("Hi there",securedElement.data__.innerHTML);
28	},
29	function docWrite(t){
30	securedDoc.write("<div style='color:red'>written</div>");
31	console.log("wrote");
32	securedDoc.close();
33	t.t(securedElement.data__.innerHTML.match(/written/));
34	},
35	function addNode(t){
36	var newDiv = securedDoc.createElement("div");
37	console.log("wrapped ",newDiv.data__);
38	newDiv.innerHTML = "inner div";
39	console.log("style ",newDiv.style.data__);
40	newDiv.style.color="blue";
41	console.log('appendChild ' + securedElement.appendChild);
42	securedElement.appendChild(newDiv);
43	t.t(securedElement.data__.innerHTML.match(/inner/));
44	},
45	/*function addStyleTag(t){
46	securedElement.innerHTML = "<style>div {color:green}</style><div>should be green</div>";
47	console.log('after style tag' + securedElement.innerHTML);
48	t.t(securedElement.innerHTML.match(/color/));
49	},*/
50	function addOnclickHandler(t){
51	securedElement.addEventListener("click",function(event) {
52	alert('proper click handler');
53	});
54
55	}
56	]);
57
58	function violater(func) {
59	return {name: func.name,
60	runTest: function(t) {
61	var insecure;
62	try {
63	func(t);
64	insecure = true;
65	}catch(e){
66	console.log("successfully threw error",e);
67	}
68	t.f(insecure);
69	}};
70	}
71	doh.register("dojox.secure.tests.DOM.bad",
72	[
73	function parentNode(t){
74	t.f(securedElement.parentNode);
75	},
76	function innerHTMLScript(t){
77	try {
78	securedElement.innerHTML = "<script>bad=true</script>";
79	}catch(e){}
80	t.t(typeof bad == 'undefined');
81	},
82	function innerHTMLScript2(t){
83	try{
84	securedElement.innerHTML = '</script><script>bad=true;//';
85	}catch(e){}
86	t.t(typeof bad == 'undefined');
87	},
88	function writeScript(t){
89	try{
90	securedDoc.write("<script>bad=true;</script>");
91	}catch(e){}
92	t.t(typeof bad == 'undefined');
93	},
94	function appendScript(t){
95	try {
96	var script = securedDoc.createElement('script');
97	script.appendChild(securedDoc.createTextNode(
98	'bad=true'));
99	securedElement.appendChild(script);
100	}
101	catch(e) {
102
103	}
104	t.t(typeof bad == 'undefined');
105	},
106	function cssExpression(t) {
107	if (dojo.isIE) {
108	securedElement.innerHTML = '<div id="oDiv" style="left:expression((bad=true), 0)">Example DIV</div>';
109	t.t(typeof bad == 'undefined');
110	}
111	else {
112	try{
113	securedElement.innerHTML = '<input style=\'-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");\'>';
114	}catch(e){}
115
116	t.f(securedElement.innerHTML.match(/mozilla/))
117	}
118
119	},
120	function cssExpression2(t) {
121	if (dojo.isIE) {
122	securedElement.style.left = 'expression(alert("hello"), 0)';
123	t.f(securedElement.style.left.match(/alert/));
124	}
125	else {
126	try {
127	securedElement.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")';
128	}catch(e){}
129
130	}
131	},
132	function cssExpression3(t) {
133	if (dojo.isIE) {
134	securedElement.style.behavior = 'url(a1.htc)';
135	t.f(securedElement.style.behavior);
136	}
137	else {
138
139	}
140	},
141	/*violater(function addStyleTag(t) {
142	securedElement.innerHTML = "<style>div {color:expression(alert(\"hello\")}</style><div>test</div>";
143	}),
144	violater(function addStyleTag2(t) {
145	securedElement.innerHTML = "<style>@import 'unsafe.css'</style><div>unsafe css</div>";
146	}),*/
147	function addJavaScriptHref(t) {
148	securedElement.innerHTML = "<a href='javascript:alert(3)'>illegal link</a>";
149	},
150	/*violater(function addNullCharSrc(t) {
151	securedElement.innerHTML = "<a href='java�script:alert(3)'>illegal link</a>";
152	}),*/
153	function addOnclickHandler(t) {
154	try{
155	securedElement.innerHTML = "<div onclick='alert(4)'>illegal link</div>";
156	}catch(e){}
157
158	t.f(securedElement.innerHTML.match(/alert/));
159	},
160	function confusingHTML(t) {
161	try {
162	securedElement.innerHTML = '<div x="\"><img onload=alert(42)src=http://json.org/img/json160.gif>"></div>';
163	}catch(e){}
164
165	t.f(securedElement.innerHTML.match(/alert/));
166	},
167	function confusingHTML2(t) {
168	try {
169	securedElement.innerHTML = '<iframe/src="javascript:alert(42)"></iframe>';
170	}catch(e){}
171
172	t.f(securedElement.innerHTML.match(/alert/));
173	},
174	function confusingHTML2(t) {
175	try{
176	securedElement.innerHTML = '<iframe/ "onload=alert(/XSS/)></iframe>';
177	}catch(e){}
178
179	t.f(securedElement.innerHTML.match(/alert/));
180	}
181
182	]);
183

Note: See TracBrowser for help on using the repository browser.

Download in other formats: