Context Navigation

source: Dev/trunk/src/client/dojox/secure/tests/sandbox.js

Last change on this file was 483, checked in by hendrikvanantwerpen, 11 years ago
Added Dojo 1.9.3 release.
File size: 3.1 KB

Rev	Line
[483]	1	dojo.provide("dojox.secure.tests.sandbox");
	2
	3	doh.register("dojox.secure.tests.sandbox.good",
	4	[
	5	function setup(){
	6	var div = document.createElement("div");
	7	document.body.appendChild(div);
	8	div.innerHTML = "Sandboxed div:";
	9	div.style.position = "absolute";
	10	div.style.top = "100px";
	11	div.style.left = "100px";
	12	div.style.backgroundColor = "red";
	13	div.style.color = "white";
	14	container = document.createElement("div");
	15	container.style.backgroundColor = "cyan";
	16	container.style.color = "black";
	17	div.appendChild(container);
	18	},
	19	function innerHTML(t){
	20	dojox.secure.evaluate("element.innerHTML = 'Hi there';",container);
	21	t.assertEqual("Hi there",container.innerHTML);
	22	},
	23	function docWrite(t){
	24	dojox.secure.evaluate("document.write(\"<div style='color:red'>written</div>\");",container);
	25	t.t(container.innerHTML.match(/written/));
	26	}
	27	]);
	28
	29	function violater(func) {
	30	return {name: func.name,
	31	runTest: function(t) {
	32	var insecure;
	33	try {
	34	func(t);
	35	insecure = true;
	36	}catch(e){
	37	console.log("successfully threw error",e);
	38	}
	39	t.f(insecure);
	40	}};
	41	}
	42	doh.register("dojox.secure.tests.sandbox.bad",
	43	[
	44	function parentNode(t){
	45	t.f(dojox.secure.evaluate("document.body",container));
	46	},
	47	function innerHTMLScript(t){
	48	try {
	49	dojox.secure.evaluate("bad = true",container);
	50	}catch(e){}
	51	t.t(typeof bad == 'undefined');
	52	}
	53	/*function innerHTMLScript2(t){
	54	try{
	55	securedElement.innerHTML = '</script><script>bad=true;//';
	56	}catch(e){}
	57	t.t(typeof bad == 'undefined');
	58	},
	59	function writeScript(t){
	60	try{
	61	securedDoc.write("<script>bad=true;</script>");
	62	}catch(e){}
	63	t.t(typeof bad == 'undefined');
	64	},
	65	function appendScript(t){
	66	try {
	67	var script = securedDoc.createElement('script');
	68	script.appendChild(securedDoc.createTextNode(
	69	'bad=true'));
	70	securedElement.appendChild(script);
	71	}
	72	catch(e) {
	73
	74	}
	75	t.t(typeof bad == 'undefined');
	76	},
	77	function cssExpression(t) {
	78	if (dojo.isIE) {
	79	securedElement.innerHTML = '<div id="oDiv" style="left:expression((bad=true), 0)">Example DIV</div>';
	80	t.t(typeof bad == 'undefined');
	81	}
	82	else {
	83	try{
	84	securedElement.innerHTML = '<input style=\'-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");\'>';
	85	}catch(e){}
	86
	87	t.f(securedElement.innerHTML.match(/mozilla/))
	88	}
	89
	90	},
	91	function cssExpression2(t) {
	92	if (dojo.isIE) {
	93	securedElement.style.left = 'expression(alert("hello"), 0)';
	94	t.f(securedElement.style.left.match(/alert/));
	95	}
	96	else {
	97	try {
	98	securedElement.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")';
	99	}catch(e){}
	100
	101	}
	102	},
	103	function cssExpression3(t) {
	104	if (dojo.isIE) {
	105	securedElement.style.behavior = 'url(a1.htc)';
	106	t.f(securedElement.style.behavior);
	107	}
	108	else {
	109
	110	}
	111	},
	112	violater(function addStyleTag(t) {
	113	securedElement.innerHTML = "<style>div {color:expression(alert(\"hello\")}</style><div>test</div>";
	114	}),
	115	violater(function addStyleTag2(t) {
	116	securedElement.innerHTML = "<style>@import 'unsafe.css'</style><div>unsafe css</div>";
	117	})*/
	118	]);
	119

Note: See TracBrowser for help on using the repository browser.

Download in other formats: