test(sanitization): migrate test to spec (#19186)

2025-08-19 19:57:22 +08:00 · 2019-08-26 17:39:46 +02:00
parent f2cfdf1bad
commit c7b6c7d563
6 changed files with 47 additions and 143 deletions
--- a/core/package.json
+++ b/core/package.json
@ -34,7 +34,7 @@
    "tslib": "^1.10.0"
  },
  "devDependencies": {
-    "@stencil/core": "1.2.5",
+    "@stencil/core": "1.3.1",
    "@stencil/sass": "1.0.1",
    "@types/jest": "24.0.17",
    "@types/node": "12.7.1",
--- a/core/src/components/router/router.tsx
+++ b/core/src/components/router/router.tsx
@ -104,7 +104,7 @@ export class Router implements ComponentInterface {
   * Go back to previous page in the window.history.
   */
  @Method()
-  back() {
+  back(): Promise<void> {
    window.history.back();
    return Promise.resolve(this.waitPromise);
  }
--- a/core/src/utils/sanitization/index.ts
+++ b/core/src/utils/sanitization/index.ts
@ -84,7 +84,7 @@ const sanitizeElement = (element: any) => {
  if (element.nodeType && element.nodeType !== 1) { return; }

  for (let i = element.attributes.length - 1; i >= 0; i--) {
-    const attribute = element.attributes[i];
+    const attribute = element.attributes.item(i);
    const attributeName = attribute.name;

    // remove non-allowed attribs
--- a/core/src/utils/sanitization/test/e2e.ts
+++ b/core/src/utils/sanitization/test/e2e.ts
@ -1,26 +0,0 @@
-import { newE2EPage } from '@stencil/core/testing';
-
-test('sanitization:', async done => {
-
-  const page = await newE2EPage({
-    url: '/src/utils/sanitization/test?ionic:_testing=true'
-  });
-
-  page.on('pageerror', (err: any) => {
-    if (err.message.includes('sanitizeFailed')) {
-      done.fail(new Error('Failed to properly sanitize'));
-    }
-  });
-
-  await page.click('#testA');
-  await page.click('#testB');
-  await page.click('#testC');
-  await page.click('#testD');
-  await page.click('#testE');
-  await page.click('#testF');
-  await page.click('#testG');
-  await page.click('#testH');
-
-  done();
-
-});
--- a/core/src/utils/sanitization/test/index.html
+++ b/core/src/utils/sanitization/test/index.html
@ -1,114 +0,0 @@
-<!DOCTYPE html>
-<html dir="ltr">
-<head>
-  <meta charset="UTF-8">
-  <title>Sanitization</title>
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
-  <link href="../../../../../css/ionic.bundle.css" rel="stylesheet">
-  <link href="../../../../../scripts/testing/styles.css" rel="stylesheet">
-  <script src="../../../../../scripts/testing/scripts.js"></script>
-  <script nomodule src="../../../../../dist/ionic/ionic.js"></script>
-  <script type="module" src="../../../../../dist/ionic/ionic.esm.js"></script></head>
-  <script type="module">
-    import { sanitizeDOMString } from '../../../../dist/collection/utils/sanitization/index.js';
-    window.sanitizeDOMString = sanitizeDOMString;
-  </script>
-</head>
-
-<!--
-  So the goal with these tests is to ensure
-  that an `alert` call is never executed
-  in the browser. If it is, then our sanitization
-  function has failed to properly sanitize
-  an input
-->
-
-<body>
-    <ion-app>
-
-    <ion-header>
-      <ion-toolbar>
-        <ion-title>Sanitization</ion-title>
-      </ion-toolbar>
-    </ion-header>
-
-    <ion-content class="ion-padding" id="content">
-      <div class="results">Results will appear here</div>
-
-      <ion-button onclick="testA()" id="testA">Test A</ion-button>
-      <ion-button onclick="testB()" id="testB">Test B</ion-button>
-      <ion-button onclick="testC()" id="testC">Test C</ion-button>
-      <ion-button onclick="testD()" id="testD">Test D</ion-button>
-      <ion-button onclick="testE()" id="testE">Test E</ion-button>
-      <ion-button onclick="testF()" id="testF">Test F</ion-button>
-      <ion-button onclick="testG()" id="testG">Test G</ion-button>
-      <ion-button onclick="testH()" id="testH">Test H</ion-button>
-    </ion-content>
-
-  </ion-app>
-
-  <script>
-    const results = document.querySelector('.results');
-
-    window.alert = () => {
-      throw new Error('sanitizeFailed');
-    }
-
-    function runTest(inputString) {
-      console.log(`Sanitizing ${inputString}`);
-      const sanitizedResult = sanitizeDOMString(inputString);
-
-      results.innerHTML = sanitizedResult;
-      console.log(`Result ${sanitizedResult}`)
-    }
-
-    function testA() {
-      runTest('<img src="x" onerror="alert(document.cookie);">');
-    }
-
-    function testB() {
-      runTest('<button id="myButton" name="myButton" onclick="alert(document.cookie);">harmless button</button>');
-
-      const buttom = results.querySelector('button');
-      buttom.click();
-    }
-
-    function testC() {
-      runTest('<a href="javascript:alert(document.cookie)">harmless link</a>');
-
-      const link = results.querySelector('a');
-      link.click();
-    }
-
-    function testD() {
-      runTest('<a class="link" href="Javascript&#58;alert(document.cookie)">harmless link</a>');
-
-      const link = results.querySelector('a');
-      link.click();
-    }
-
-    function testE() {
-      runTest('<iframe src="javascript:alert(document.cookie)"></iframe>');
-    }
-
-    function testF() {
-      runTest('<div><button><a href="javascript:alert(document.cookie)">click me</a></button></div>');
-
-      const link = results.querySelector('a');
-      link.click();
-    }
-
-    function testG() {
-      runTest('<object><img src="x" onerror="alert(document.cookie);"></object>');
-    }
-
-    function testH() {
-      runTest('<ion-item><ion-label>Hello!</ion-label><ion-button onclick="alert(document.cookie);">Click me</ion-button>');
-
-      const button = results.querySelector('ion-button');
-      button.click();
-    }
-  </script>
-</body>
-
-</html>
--- a/core/src/utils/sanitization/test/sanitization.spec.ts
+++ b/core/src/utils/sanitization/test/sanitization.spec.ts
@ -0,0 +1,44 @@
+import { sanitizeDOMString } from "..";
+
+describe('sanitizeDOMString', () => {
+
+  it('filter onerror', () => {
+    expect(sanitizeDOMString('<img src="x" onerror="alert(document.cookie);">'))
+      .toEqual('<img src="x">');
+  });
+
+  it('filter onclick', () => {
+    expect(sanitizeDOMString('<button id="myButton" name="myButton" onclick="alert(document.cookie);">harmless button</button>'))
+      .toEqual('<button id="myButton" name="myButton">harmless button</button>');
+  });
+
+  it('filter <a> href JS', () => {
+    expect(sanitizeDOMString('<a href="javascript:alert(document.cookie)">harmless link</a>'))
+      .toEqual('<a>harmless link</a>');
+  });
+
+  it('filter <a> href JS + class attribute', () => {
+    expect(sanitizeDOMString('<a class="link" href="Javascript&#58;alert(document.cookie)">harmless link</a>'))
+      .toEqual('<a class="link">harmless link</a>');
+  });
+
+  it('filter <iframe>', () => {
+    expect(sanitizeDOMString('<iframe src="javascript:alert(document.cookie)"></iframe>'))
+      .toEqual('');
+  });
+
+  it('filter href + javascript ', () => {
+    expect(sanitizeDOMString('<div><button><a href="javascript:alert(document.cookie)">click me</a></button></div>'))
+      .toEqual('<div><button><a>click me</a></button></div>');
+  });
+
+  it('filter <object>', () => {
+    expect(sanitizeDOMString('<object><img src="x" onerror="alert(document.cookie);"></object>'))
+      .toEqual('');
+  });
+
+  it('sanitizeDOMString', () => {
+    expect(sanitizeDOMString('<ion-item><ion-label>Hello!</ion-label><ion-button onclick="alert(document.cookie);">Click me</ion-button>'))
+      .toEqual('<ion-item><ion-label>Hello!</ion-label><ion-button>Click me</ion-button></ion-item>');
+  });
+});