This repository has been archived on 2024-01-26. You can view files and clone it, but cannot push or open issues or pull requests.
calcifer/web/vendor/selectize.js/test/xss.js

61 lines
1.7 KiB
JavaScript
Raw Normal View History

(function() {
window.setup_xss_test = function(html, options, done) {
window.xss = function() {
window.clearTimeout(timeout);
complete(new Error('Exploit executed'));
};
var test = setup_test(html, options);
var complete = function(err) {
window.xss = function() {};
done(err);
};
var timeout = window.setTimeout(complete, 75);
return test;
};
describe('XSS', function() {
describe('Raw HTML in original input value', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="&lt;img src=&quot;x&quot; onerror=&quot;xss()&quot;&gt;">', {}, done);
});
});
describe('Raw HTML in optgroup label', function() {
it('should not trigger exploit', function(done) {
var test = setup_xss_test('<select><optgroup label="&lt;img src=&quot;x&quot; onerror=&quot;xss()&quot;&gt;"><option>Test</option></optgroup></select>', {}, done);
test.selectize.refreshOptions();
test.selectize.open();
});
});
describe('Raw HTML in option label should not trigger exploit', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="">', {
options: [
{value: '1', label: '<img src="x" onerror="xss()">'}
],
items: ['1'],
labelField: 'label',
valueField: 'value'
}, done);
});
});
describe('Raw HTML in option value should not trigger exploit', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="">', {
options: [
{value: '<img src="x" onerror="xss()">', label: '1'}
],
items: ['<img src="x" onerror="xss()">'],
labelField: 'label',
valueField: 'value'
}, done);
});
});
});
})();