IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

tests for XSS injection in tooltips

Browse Source
This commit is contained in:
Joffrey JAFFEUX 2018-06-28 14:24:21 +02:00 committed by GitHub
parent a6d50d1ff7
commit 9f4e814dbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions

25
test/javascripts/lib/tooltip-test.js.es6 Normal file
View File

@ -0,0 +1,25 @@
import { registerTooltip } from "discourse/lib/tooltip";
// prettier-ignore
QUnit.module("lib:tooltip", {
beforeEach() {
fixture().html(
"<a class='test-link' data-tooltip='XSS<s onmouseover\=alert(document.domain)>XSS'>test</a>"
);
}
});
QUnit.test("it prevents XSS injection", assert => {
const $testLink = fixture(".test-link");
registerTooltip($testLink);
$testLink.click();
andThen(() => {
assert.equal(
fixture(".tooltip-content")
.html()
.trim(),
"XSS&lt;s onmouseover=alert(document.domain)&gt;XSS"
);
});
});