assert.expect(1)
var done = assert.async()
- try {
- var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>')
- .appendTo('#qunit-fixture')
+ var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>')
+ .appendTo('#qunit-fixture')
- $toggleBtn.trigger('click')
- } catch (e) {
+ $toggleBtn.trigger('click')
+ setTimeout(function () {
assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document')
done()
- }
+ }, 0)
})
QUnit.test('should not execute js from target', function (assert) {
assert.expect(0)
var done = assert.async()
- try {
- // This toggle button contains XSS payload in its data-target
- // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
- // a script element works in manual tests though, so here it is likely blocked by the qunit framework
- var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>')
- .appendTo('#qunit-fixture')
- // The XSS payload above does not have a closure over this function and cannot access the assert object directly
- // However, it can send a click event to the following control button, which will then fail the assert
- $('<button>')
- .addClass('control')
- .on('click', function () {
- assert.notOk(true, 'XSS payload is not executed as js')
- })
- .appendTo('#qunit-fixture')
+ // This toggle button contains XSS payload in its data-target
+ // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
+ // a script element works in manual tests though, so here it is likely blocked by the qunit framework
+ var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>')
+ .appendTo('#qunit-fixture')
+ // The XSS payload above does not have a closure over this function and cannot access the assert object directly
+ // However, it can send a click event to the following control button, which will then fail the assert
+ $('<button>')
+ .addClass('control')
+ .on('click', function () {
+ assert.notOk(true, 'XSS payload is not executed as js')
+ })
+ .appendTo('#qunit-fixture')
- $toggleBtn.trigger('click')
- } catch (e) {
- done()
- }
+ $toggleBtn.trigger('click')
+
+ setTimeout(done, 500)
})
QUnit.test('should not try to open a modal which is already visible', function (assert) {
assert.strictEqual(Util.getSelectorFromElement($el2[0]), null)
})
- QUnit.test('Util.getSelectorFromElement should throw error when there is a bad selector', function (assert) {
+ QUnit.test('Util.getSelectorFromElement should return null when there is a bad selector', function (assert) {
assert.expect(2)
var $el = $('<div data-target="#1"></div>').appendTo($('#qunit-fixture'))
- try {
- assert.ok(true, 'trying to use a bad selector')
- Util.getSelectorFromElement($el[0])
- } catch (e) {
- assert.ok(e instanceof DOMException)
- }
+ assert.strictEqual(Util.getSelectorFromElement($el[0]), null)
+
+ var $el2 = $('<a href="/posts"></a>').appendTo($('#qunit-fixture'))
+
+ assert.strictEqual(Util.getSelectorFromElement($el2[0]), null)
})
QUnit.test('Util.typeCheckConfig should thrown an error when a bad config is passed', function (assert) {
projects / thirdparty / bootstrap.git / commitdiff
