test(sanitization): migrate test to spec (#19186)

manucorporat · web-flow · commit c7b6c7d563da · 2019-08-26T17:39:46.000+02:00
diff --git a/core/package.json b/core/package.json
@@ -34,7 +34,7 @@
     "tslib": "^1.10.0"
   },
   "devDependencies": {
-    "@stencil/core": "1.2.5",
+    "@stencil/core": "1.3.1",
     "@stencil/sass": "1.0.1",
     "@types/jest": "24.0.17",
     "@types/node": "12.7.1",
diff --git a/core/src/components/router/router.tsx b/core/src/components/router/router.tsx
@@ -104,7 +104,7 @@ export class Router implements ComponentInterface {
    * Go back to previous page in the window.history.
    */
   @Method()
-  back() {
+  back(): Promise<void> {
     window.history.back();
     return Promise.resolve(this.waitPromise);
   }
diff --git a/core/src/utils/sanitization/index.ts b/core/src/utils/sanitization/index.ts
@@ -84,7 +84,7 @@ const sanitizeElement = (element: any) => {
   if (element.nodeType && element.nodeType !== 1) { return; }
 
   for (let i = element.attributes.length - 1; i >= 0; i--) {
-    const attribute = element.attributes[i];
+    const attribute = element.attributes.item(i);
     const attributeName = attribute.name;
 
     // remove non-allowed attribs
diff --git a/core/src/utils/sanitization/test/e2e.ts b/core/src/utils/sanitization/test/e2e.ts
diff --git a/core/src/utils/sanitization/test/index.html b/core/src/utils/sanitization/test/index.html
diff --git a/core/src/utils/sanitization/test/sanitization.spec.ts b/core/src/utils/sanitization/test/sanitization.spec.ts
@@ -0,0 +1,44 @@
+import { sanitizeDOMString } from "..";
+
+describe('sanitizeDOMString', () => {
+
+  it('filter onerror', () => {
+    expect(sanitizeDOMString('<img src="x" onerror="alert(document.cookie);">'))
+      .toEqual('<img src="x">');
+  });
+
+  it('filter onclick', () => {
+    expect(sanitizeDOMString('<button id="myButton" name="myButton" onclick="alert(document.cookie);">harmless button</button>'))
+      .toEqual('<button id="myButton" name="myButton">harmless button</button>');
+  });
+
+  it('filter <a> href JS', () => {
+    expect(sanitizeDOMString('<a href="javascript:alert(document.cookie)">harmless link</a>'))
+      .toEqual('<a>harmless link</a>');
+  });
+
+  it('filter <a> href JS + class attribute', () => {
+    expect(sanitizeDOMString('<a class="link" href="Javascript&#58;alert(document.cookie)">harmless link</a>'))
+      .toEqual('<a class="link">harmless link</a>');
+  });
+
+  it('filter <iframe>', () => {
+    expect(sanitizeDOMString('<iframe src="javascript:alert(document.cookie)"></iframe>'))
+      .toEqual('');
+  });
+
+  it('filter href + javascript ', () => {
+    expect(sanitizeDOMString('<div><button><a href="javascript:alert(document.cookie)">click me</a></button></div>'))
+      .toEqual('<div><button><a>click me</a></button></div>');
+  });
+
+  it('filter <object>', () => {
+    expect(sanitizeDOMString('<object><img src="x" onerror="alert(document.cookie);"></object>'))
+      .toEqual('');
+  });
+
+  it('sanitizeDOMString', () => {
+    expect(sanitizeDOMString('<ion-item><ion-label>Hello!</ion-label><ion-button onclick="alert(document.cookie);">Click me</ion-button>'))
+      .toEqual('<ion-item><ion-label>Hello!</ion-label><ion-button>Click me</ion-button></ion-item>');
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ export class Router implements ComponentInterface {`
`104`	`104`	`* Go back to previous page in the window.history.`
`105`	`105`	`*/`
`106`	`106`	`@Method()`
`107`		`- back() {`
	`107`	`+ back(): Promise<void> {`
`108`	`108`	`window.history.back();`
`109`	`109`	`return Promise.resolve(this.waitPromise);`
`110`	`110`	`}`