diff options
| author | meeque <meeque@users.noreply.github.com> | 2017-08-25 23:53:15 +0300 |
|---|---|---|
| committer | Johann-S <johann.servoire@gmail.com> | 2017-08-26 01:20:14 +0300 |
| commit | 9612830701211d757ff95ceccbb494fd2e7ee17e (patch) | |
| tree | fdb8d6b8c3c783c742a5ae32796fc3a87d92d4b0 /js | |
| parent | bcad4bcb5f5a9ef079b2883a48a698b35261e083 (diff) | |
Add unit test for xss in data target attribute
Diffstat (limited to 'js')
| -rw-r--r-- | js/tests/unit/modal.js | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js index 3b028dc100..5b265df158 100644 --- a/js/tests/unit/modal.js +++ b/js/tests/unit/modal.js @@ -597,4 +597,40 @@ $(function () { }) .trigger('click') }) + + QUnit.test('should not parse target as html', function (assert) { + assert.expect(1) + var done = assert.async() + + var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>') + .appendTo('#qunit-fixture') + + $toggleBtn.trigger('click') + setTimeout(function () { + assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document') + done() + }, 1) + }) + + QUnit.test('should not execute js from target', function (assert) { + assert.expect(0) + var done = assert.async() + + // This toggle button contains XSS payload in its data-target + // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here + // a script element works in manual tests though, so here it is likely blocked by the qunit framework + var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>') + .appendTo('#qunit-fixture') + // The XSS payload above does not have a closure over this function and cannot access the assert object directly + // However, it can send a click event to the following control button, which will then fail the assert + $('<button>') + .addClass('control') + .on('click', function () { + assert.notOk(true, 'XSS payload is not executed as js') + }) + .appendTo('#qunit-fixture') + + $toggleBtn.trigger('click') + setTimeout(done, 500) + }) }) |