browser_bug441169.js (1370B)
1 /* Make sure that netError won't allow HTML injection through badcert parameters. See bug 441169. */ 2 var newBrowser; 3 4 function task() { 5 let resolve; 6 let promise = new Promise(r => { 7 resolve = r; 8 }); 9 10 addEventListener("DOMContentLoaded", checkPage, false); 11 12 function checkPage(event) { 13 if (event.target != content.document) { 14 return; 15 } 16 removeEventListener("DOMContentLoaded", checkPage, false); 17 18 is( 19 content.document.getElementById("test_span"), 20 null, 21 "Error message should not be parsed as HTML, and hence shouldn't include the 'test_span' element." 22 ); 23 resolve(); 24 } 25 26 var chromeURL = 27 "about:neterror?e=nssBadCert&u=https%3A//test.kuix.de/&c=UTF-8&d=This%20sentence%20should%20not%20be%20parsed%20to%20include%20a%20%3Cspan%20id=%22test_span%22%3Enamed%3C/span%3E%20span%20tag.%0A%0AThe%20certificate%20is%20only%20valid%20for%20%3Ca%20id=%22cert_domain_link%22%20title=%22kuix.de%22%3Ekuix.de%3C/a%3E%0A%0A(Error%20code%3A%20ssl_error_bad_cert_domain)"; 28 content.location = chromeURL; 29 30 return promise; 31 } 32 33 function test() { 34 waitForExplicitFinish(); 35 36 var newTab = BrowserTestUtils.addTab(gBrowser); 37 gBrowser.selectedTab = newTab; 38 newBrowser = gBrowser.getBrowserForTab(newTab); 39 40 ContentTask.spawn(newBrowser, null, task).then(() => { 41 gBrowser.removeCurrentTab(); 42 finish(); 43 }); 44 }