sanitizer-javascript-url.html (3322B)
1 <!DOCTYPE html> 2 <head> 3 <title>Testcases for handling javascript: URL attributes</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="support/html5lib-testcase-support.js"></script> 7 8 <script id="built-in-navigating-url-attributes-list" type="html5lib-testcases"> 9 #data 10 <a href="javascript:alert(1)"></a> 11 #document 12 | <a> 13 14 #data 15 <area href="javascript:alert(1)"></area> 16 #document 17 | <area> 18 19 #data 20 <base href="javascript:alert(1)"></base> 21 #document 22 | <base> 23 24 #data 25 <button formaction="javascript:alert(1)"></button> 26 #document 27 | <button> 28 29 #data 30 <form action="javascript:alert(1)"></form> 31 #document 32 | <form> 33 34 #data 35 <input formaction="javascript:alert(1)"></input> 36 #document 37 | <input> 38 39 #data 40 <svg><a href="javascript:alert(1)"></a></svg> 41 #document 42 | <svg svg> 43 | <svg a> 44 45 #data 46 <svg><a xlink:href="javascript:alert(1)"></a></svg> 47 #document 48 | <svg svg> 49 | <svg a> 50 </script> 51 52 <script id="mathml" type="html5lib-testcases"> 53 #data 54 <math><mrow href="javascript:alert(1)"></mrow></math> 55 #document 56 | <math math> 57 | <math mrow> 58 59 #data 60 <math><msqrt href="javascript:alert(1)"></msqrt></math> 61 #document 62 | <math math> 63 | <math msqrt> 64 65 #data 66 <math><mtext href="javascript:alert(1)">Test</mtext></math> 67 #document 68 | <math math> 69 | <math mtext> 70 | "Test" 71 </script> 72 73 <script id="built-in-animating-url-attributes-list" type="html5lib-testcases"> 74 #data 75 <svg><animate attributeName="href"></svg> 76 #document 77 | <svg svg> 78 | <svg animate> 79 80 #data 81 <svg><animate attributeName="xlink:href"></svg> 82 #document 83 | <svg svg> 84 | <svg animate> 85 86 87 #data 88 <svg><animateMotion attributeName="href"></svg> 89 #document 90 | <svg svg> 91 | <svg animateMotion> 92 93 #data 94 <svg><animateMotion attributeName="xlink:href"></svg> 95 #document 96 | <svg svg> 97 | <svg animateMotion> 98 99 100 #data 101 <svg><animateTransform attributeName="href"></svg> 102 #document 103 | <svg svg> 104 | <svg animateTransform> 105 106 #data 107 <svg><animateTransform attributeName="xlink:href"></svg> 108 #document 109 | <svg svg> 110 | <svg animateTransform> 111 112 113 #data 114 <svg><set attributeName="href"></svg> 115 #document 116 | <svg svg> 117 | <svg set> 118 119 #data 120 <svg><set attributeName="xlink:href"></svg> 121 #document 122 | <svg svg> 123 | <svg set> 124 </script> 125 126 <script id="allowed" type="html5lib-testcases"> 127 #data 128 <a nothref="javascript:alert(1)"></a> 129 #document 130 | <a> 131 | nothref="javascript:alert(1)" 132 133 #data 134 <svg><a xlink:href="data:text/html,foobar"></a></svg> 135 #document 136 | <svg svg> 137 | <svg a> 138 | xlink href="data:text/html,foobar" 139 140 #data 141 <svg><set attributeName=" href "></svg> 142 #document 143 | <svg svg> 144 | <svg set> 145 | attributeName=" href " 146 </script> 147 148 <script> 149 for (const group of document.querySelectorAll("script[type='html5lib-testcases']")) { 150 parse_html5lib_testcases(group.textContent).forEach((testcase, index) => { 151 // Allow everything by default, we only care about the URLs being removed. 152 let config = { sanitizer: {} }; 153 154 test((_) => { 155 const div = document.createElement("div"); 156 div.setHTML(testcase.data, config); 157 assert_testcase(div, testcase); 158 }, `setHTML testcase ${group.id}/${index}, "${testcase.data}"`); 159 160 test((_) => { 161 assert_testcase(Document.parseHTML("<body>" + testcase.data, config).body, testcase); 162 }, `parseHTML testcase ${group.id}/${index}, "${testcase.data}"`); 163 }); 164 } 165 </script> 166 </head> 167 <body> 168 </body>