| /* |
| * Copyright (c) 2014, the Dart project authors. Please see the AUTHORS file |
| * for details. All rights reserved. Use of this source code is governed by a |
| * BSD-style license that can be found in the LICENSE file. |
| */ |
| /** |
| * @assertion |
| * @description |
| */ |
| import "dart:html"; |
| import "../../testharness.dart"; |
| |
| const String htmlEL2 = r''' |
| <div id="hidden" style="visibility: hidden"> |
| <script id="script">/*"'&<> "'&<> "'&<> */</script> |
| <style id="style">/*"'&<> "'&<> "'&<> */</style> |
| <textarea id="textarea">/*"'&<> "'&<> "'&<> */</textarea> |
| <xmp id="xmp">/*"'&<> "'&<> "'&<> */</xmp> |
| </div> |
| '''; |
| |
| var innerTests = |
| [ ["script", r"""/*"'&<> "'&<> "'&<> */"""], |
| ["style", r"""/*"'&<> "'&<> "'&<> */"""], |
| ["textarea", r"""/*"'&<> "'&<> "'&<> */"""], |
| ["xmp", r"""/*"'&<> "'&<> "'&<> */"""], |
| ]; |
| |
| var outerTests = |
| [ ["script", r"""<script id="script">/*"'&<> "'&<> "'&<> */</script>"""], |
| ["style", r"""<style id="style">/*"'&<> "'&<> "'&<> */</style>"""], |
| ["textarea", r"""<textarea id="textarea">/*"'&<> "'&<> "'&<> */</textarea>"""], |
| ["xmp", r"""<xmp id="xmp">/*"'&<> "'&<> "'&<> */</xmp>"""], |
| ]; |
| |
| String innerHTML(textnode) { |
| return document.getElementById(textnode).innerHtml; |
| } |
| |
| String outerHTML(textnode) { |
| return document.getElementById(textnode).outerHtml; |
| } |
| |
| void main() { |
| description("Tests that accessing the innerHTML property of a text node encodes harmful entities which can result in cross site scripting."); |
| document.body.appendHtml(htmlEL2, treeSanitizer: new NullTreeSanitizer()); |
| for (List tdata in innerTests) { |
| shouldBe(innerHTML(tdata[0]), tdata[1]); |
| } |
| for (List tdata in outerTests) { |
| shouldBe(outerHTML(tdata[0]), tdata[1]); |
| } |
| checkTestFailures(); |
| } |