diff options
author | Johann-S <johann.servoire@gmail.com> | 2019-02-11 17:59:39 +0300 |
---|---|---|
committer | XhmikosR <xhmikosr@gmail.com> | 2019-02-13 09:32:15 +0300 |
commit | 7bc4d2e0bc65151b6f60dccad50c9c8f50252bd6 (patch) | |
tree | 178feb0626afeb5861d6c873f72efefc16e076ac /js/tests/unit/tooltip.js | |
parent | bf2515ae68f1d89e8b795478aec90f8db61159e5 (diff) |
Add sanitize template option for tooltip/popover plugins.
Diffstat (limited to 'js/tests/unit/tooltip.js')
-rw-r--r-- | js/tests/unit/tooltip.js | 160 |
1 files changed, 160 insertions, 0 deletions
diff --git a/js/tests/unit/tooltip.js b/js/tests/unit/tooltip.js index 30829d24d5..e66450fb85 100644 --- a/js/tests/unit/tooltip.js +++ b/js/tests/unit/tooltip.js @@ -1106,4 +1106,164 @@ $(function () { assert.strictEqual(offset.offset, myOffset) assert.ok(typeof offset.fn === 'undefined') }) + + QUnit.test('should disable sanitizer', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + sanitize: false + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.sanitize, false) + }) + + QUnit.test('should sanitize template by removing disallowed tags', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<div>', + ' <script>console.log("oups script inserted")</script>', + ' <span>Some content</span>', + '</div>' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('script'), -1) + }) + + QUnit.test('should sanitize template by removing disallowed attributes', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<div>', + ' <img src="x" onError="alert(\'test\')">Some content</img>', + '</div>' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('onError'), -1) + }) + + QUnit.test('should sanitize template by removing tags with XSS', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<div>', + ' <a href="javascript:alert(7)">Click me</a>', + ' <span>Some content</span>', + '</div>' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + assert.strictEqual(tooltip.config.template.indexOf('script'), -1) + }) + + QUnit.test('should allow custom sanitization rules', function (assert) { + assert.expect(2) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<a href="javascript:alert(7)">Click me</a>', + '<span>Some content</span>' + ].join(''), + whiteList: { + span: null + } + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.strictEqual(tooltip.config.template.indexOf('<a'), -1) + assert.ok(tooltip.config.template.indexOf('span') !== -1) + }) + + QUnit.test('should allow passing a custom function for sanitization', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<span>Some content</span>' + ].join(''), + sanitizeFn: function (input) { + return input + } + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.ok(tooltip.config.template.indexOf('span') !== -1) + }) + + QUnit.test('should allow passing aria attributes', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<span aria-pressed="true">Some content</span>' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.ok(tooltip.config.template.indexOf('aria-pressed') !== -1) + }) + + QUnit.test('should not sanitize element content', function (assert) { + assert.expect(1) + + var $element = $('<div />').appendTo('#qunit-fixture') + var content = '<script>var test = 1;</script>' + + var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<span aria-pressed="true">Some content</span>' + ].join(''), + html: true, + sanitize: false + }) + + var tooltip = $trigger.data('bs.tooltip') + tooltip.setElementContent($element, content) + + assert.strictEqual($element[0].innerHTML, content) + }) + + QUnit.test('should not take into account sanitize in data attributes', function (assert) { + assert.expect(1) + + var $trigger = $('<a href="#" rel="tooltip" data-sanitize="false" data-trigger="click" title="Another tooltip"/>') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + template: [ + '<span aria-pressed="true">Some content</span>' + ].join('') + }) + + var tooltip = $trigger.data('bs.tooltip') + + assert.strictEqual(tooltip.config.sanitize, true) + }) }) |