})
.trigger('click')
})
+
+ QUnit.test('should not parse target as html', function (assert) {
+ assert.expect(1)
+ var done = assert.async()
+
+ var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>')
+ .appendTo('#qunit-fixture')
+
+ $toggleBtn.trigger('click')
+ setTimeout(function () {
+ assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document')
+ done()
+ }, 1)
+ })
+
+ QUnit.test('should not execute js from target', function (assert) {
+ assert.expect(0)
+ var done = assert.async()
+
+ // This toggle button contains XSS payload in its data-target
+ // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
+ // a script element works in manual tests though, so here it is likely blocked by the qunit framework
+ var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>')
+ .appendTo('#qunit-fixture')
+ // The XSS payload above does not have a closure over this function and cannot access the assert object directly
+ // However, it can send a click event to the following control button, which will then fail the assert
+ $('<button>')
+ .addClass('control')
+ .on('click', function () {
+ assert.notOk(true, 'XSS payload is not executed as js')
+ })
+ .appendTo('#qunit-fixture')
+
+ $toggleBtn.trigger('click')
+ setTimeout(done, 500)
+ })
})
projects / thirdparty / bootstrap.git / commitdiff
