tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

dangling-markup-window-name.html (3039B)

      1 <!doctype html>
      2 <html>
      3 <head>
      4  <title>Dangling Markup in target</title>
      5  <meta name="timeout" content="long">
      6  <script src="/resources/testharness.js"></script>
      7  <script src="/resources/testharnessreport.js"></script>
      8  <script src="/common/utils.js"></script>
      9 </head>
     10 <body>
     11  <script>
     12    function anchorClick(target, id) {
     13      const hyperlink = document.body.appendChild(document.createElement('a'));
     14      if (target) {
     15        hyperlink.target = target;
     16      }
     17      hyperlink.href = `resources/window-name.sub.html?report=${id}|close`;
     18      hyperlink.click();
     19    }
     20 
     21    async function pollResultAndCheck(t, id, expected) {
     22      const stashURL = new URL('resources/window-name-stash.py', location);
     23      stashURL.searchParams.set('id', id);
     24 
     25      let res = 'NONE';
     26      while (res == 'NONE') {
     27        await new Promise(resolve => { t.step_timeout(resolve, 100); });
     28 
     29        const response = await fetch(stashURL);
     30        res = await response.text();
     31      }
     32      if (res !== expected) {
     33        assert_unreached('Stash result does not equal expected result.')
     34      }
     35    }
     36 
     37    promise_test(async t => {
     38      const id = token();
     39      const value = '\n<' + id;
     40 
     41      window.open(`resources/window-name.sub.html?report=${id}|close`, value);
     42      await pollResultAndCheck(t, id, value);
     43    }, 'Dangling Markup in target is not reset when set by window.open');
     44 
     45    promise_test(async t => {
     46      const id = token();
     47      const value = '\n<' + id;
     48 
     49      anchorClick(value, id)
     50      await pollResultAndCheck(t, id, '');
     51    }, 'Dangling Markup with "\\n" in target is reset when set by <a> tag');
     52 
     53    promise_test(async t => {
     54      const id = token();
     55      const value = '\r<' + id;
     56 
     57      anchorClick(value, id)
     58      await pollResultAndCheck(t, id, '');
     59    }, 'Dangling Markup with "\\r" in target is reset when set by <a> tag');
     60 
     61    promise_test(async t => {
     62      const id = token();
     63      const value = '\t<' + id;
     64 
     65      anchorClick(value, id)
     66      await pollResultAndCheck(t, id, '');
     67    }, 'Dangling Markup with "\\t" in target is reset when set by <a> tag');
     68 
     69    promise_test(async t => {
     70      const id = token();
     71      const value = '\n<' + id;
     72 
     73      const form = document.body.appendChild(document.createElement('form'));
     74      form.target = value;
     75      form.method = 'GET';
     76      form.action = 'resources/window-name.sub.html';
     77      const input = form.appendChild(document.createElement('input'));
     78      input.type = 'hidden';
     79      input.name = 'report';
     80      input.value = `${id}|close`;
     81      form.submit();
     82 
     83      await pollResultAndCheck(t, id, '');
     84    }, 'Dangling Markup in target is reset when set by <form> tag');
     85 
     86    promise_test(async t => {
     87      const id = token();
     88      const value = '\n<' + id;
     89      const base = document.head.appendChild(document.createElement('base'));
     90      base.target = value;
     91 
     92      anchorClick(null, id)
     93      await pollResultAndCheck(t, id, '');
     94    }, 'Dangling Markup in target is reset when set by <base> tag');
     95  </script>
     96 </body>
     97 </html>