javascript/ionic-framework
1
0
Fork 0
mirror of https://github.com/ionic-team/ionic-framework.git synced 2025-08-19 19:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

test(sanitization): migrate test to spec (#19186)

Browse Source
This commit is contained in:
Manu MA
2019-08-26 17:39:46 +02:00
committed by GitHub
parent f2cfdf1bad
commit c7b6c7d563
6 changed files with 47 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/package.json
View File

@ -34,7 +34,7 @@
"tslib": "^1.10.0" "tslib": "^1.10.0"
}, },
"devDependencies": { "devDependencies": {
"@stencil/core": "1.2.5", "@stencil/core": "1.3.1",
"@stencil/sass": "1.0.1", "@stencil/sass": "1.0.1",
"@types/jest": "24.0.17", "@types/jest": "24.0.17",
"@types/node": "12.7.1", "@types/node": "12.7.1",

2
core/src/components/router/router.tsx
View File

@ -104,7 +104,7 @@ export class Router implements ComponentInterface {
* Go back to previous page in the window.history. * Go back to previous page in the window.history.
*/ */
@Method() @Method()
back() { back(): Promise<void> {
window.history.back(); window.history.back();
return Promise.resolve(this.waitPromise); return Promise.resolve(this.waitPromise);
} }

2
core/src/utils/sanitization/index.ts
View File

@ -84,7 +84,7 @@ const sanitizeElement = (element: any) => {
if (element.nodeType && element.nodeType !== 1) { return; } if (element.nodeType && element.nodeType !== 1) { return; }
for (let i = element.attributes.length - 1; i >= 0; i--) { for (let i = element.attributes.length - 1; i >= 0; i--) {
const attribute = element.attributes[i]; const attribute = element.attributes.item(i);
const attributeName = attribute.name; const attributeName = attribute.name;
// remove non-allowed attribs // remove non-allowed attribs

26
core/src/utils/sanitization/test/e2e.ts
View File

@ -1,26 +0,0 @@
import { newE2EPage } from '@stencil/core/testing';
test('sanitization:', async done => {
const page = await newE2EPage({
url: '/src/utils/sanitization/test?ionic:_testing=true'
});
page.on('pageerror', (err: any) => {
if (err.message.includes('sanitizeFailed')) {
done.fail(new Error('Failed to properly sanitize'));
}
});
await page.click('#testA');
await page.click('#testB');
await page.click('#testC');
await page.click('#testD');
await page.click('#testE');
await page.click('#testF');
await page.click('#testG');
await page.click('#testH');
done();
});

114
core/src/utils/sanitization/test/index.html
View File

@ -1,114 +0,0 @@
<!DOCTYPE html>
<html dir="ltr">
<head>
<meta charset="UTF-8">
<title>Sanitization</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link href="../../../../../css/ionic.bundle.css" rel="stylesheet">
<link href="../../../../../scripts/testing/styles.css" rel="stylesheet">
<script src="../../../../../scripts/testing/scripts.js"></script>
<script nomodule src="../../../../../dist/ionic/ionic.js"></script>
<script type="module" src="../../../../../dist/ionic/ionic.esm.js"></script></head>
<script type="module">
import { sanitizeDOMString } from '../../../../dist/collection/utils/sanitization/index.js';
window.sanitizeDOMString = sanitizeDOMString;
</script>
</head>
<!--
So the goal with these tests is to ensure
that an `alert` call is never executed
in the browser. If it is, then our sanitization
function has failed to properly sanitize
an input
-->
<body>
<ion-app>
<ion-header>
<ion-toolbar>
<ion-title>Sanitization</ion-title>
</ion-toolbar>
</ion-header>
<ion-content class="ion-padding" id="content">
<div class="results">Results will appear here</div>
<ion-button onclick="testA()" id="testA">Test A</ion-button>
<ion-button onclick="testB()" id="testB">Test B</ion-button>
<ion-button onclick="testC()" id="testC">Test C</ion-button>
<ion-button onclick="testD()" id="testD">Test D</ion-button>
<ion-button onclick="testE()" id="testE">Test E</ion-button>
<ion-button onclick="testF()" id="testF">Test F</ion-button>
<ion-button onclick="testG()" id="testG">Test G</ion-button>
<ion-button onclick="testH()" id="testH">Test H</ion-button>
</ion-content>
</ion-app>
<script>
const results = document.querySelector('.results');
window.alert = () => {
throw new Error('sanitizeFailed');
}
function runTest(inputString) {
console.log(`Sanitizing ${inputString}`);
const sanitizedResult = sanitizeDOMString(inputString);
results.innerHTML = sanitizedResult;
console.log(`Result ${sanitizedResult}`)
}
function testA() {
runTest('<img src="x" onerror="alert(document.cookie);">');
}
function testB() {
runTest('<button id="myButton" name="myButton" onclick="alert(document.cookie);">harmless button</button>');
const buttom = results.querySelector('button');
buttom.click();
}
function testC() {
runTest('<a href="javascript:alert(document.cookie)">harmless link</a>');
const link = results.querySelector('a');
link.click();
}
function testD() {
runTest('<a class="link" href="Javascript&#58;alert(document.cookie)">harmless link</a>');
const link = results.querySelector('a');
link.click();
}
function testE() {
runTest('<iframe src="javascript:alert(document.cookie)"></iframe>');
}
function testF() {
runTest('<div><button><a href="javascript:alert(document.cookie)">click me</a></button></div>');
const link = results.querySelector('a');
link.click();
}
function testG() {
runTest('<object><img src="x" onerror="alert(document.cookie);"></object>');
}
function testH() {
runTest('<ion-item><ion-label>Hello!</ion-label><ion-button onclick="alert(document.cookie);">Click me</ion-button>');
const button = results.querySelector('ion-button');
button.click();
}
</script>
</body>
</html>

44
core/src/utils/sanitization/test/sanitization.spec.ts Normal file
View File

@ -0,0 +1,44 @@
import { sanitizeDOMString } from "..";
describe('sanitizeDOMString', () => {
it('filter onerror', () => {
expect(sanitizeDOMString('<img src="x" onerror="alert(document.cookie);">'))
.toEqual('<img src="x">');
});
it('filter onclick', () => {
expect(sanitizeDOMString('<button id="myButton" name="myButton" onclick="alert(document.cookie);">harmless button</button>'))
.toEqual('<button id="myButton" name="myButton">harmless button</button>');
});
it('filter <a> href JS', () => {
expect(sanitizeDOMString('<a href="javascript:alert(document.cookie)">harmless link</a>'))
.toEqual('<a>harmless link</a>');
});
it('filter <a> href JS + class attribute', () => {
expect(sanitizeDOMString('<a class="link" href="Javascript&#58;alert(document.cookie)">harmless link</a>'))
.toEqual('<a class="link">harmless link</a>');
});
it('filter <iframe>', () => {
expect(sanitizeDOMString('<iframe src="javascript:alert(document.cookie)"></iframe>'))
.toEqual('');
});
it('filter href + javascript ', () => {
expect(sanitizeDOMString('<div><button><a href="javascript:alert(document.cookie)">click me</a></button></div>'))
.toEqual('<div><button><a>click me</a></button></div>');
});
it('filter <object>', () => {
expect(sanitizeDOMString('<object><img src="x" onerror="alert(document.cookie);"></object>'))
.toEqual('');
});
it('sanitizeDOMString', () => {
expect(sanitizeDOMString('<ion-item><ion-label>Hello!</ion-label><ion-button onclick="alert(document.cookie);">Click me</ion-button>'))
.toEqual('<ion-item><ion-label>Hello!</ion-label><ion-button>Click me</ion-button></ion-item>');
});
});