transports: added tests for htmlfile escaping/unescaping

socketio · Jun 6, 2013 · ee078cb · ee078cb
1 parent 64d8f57
commit ee078cb
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 4 deletions.
diff --git a/lib/transports/htmlfile.js b/lib/transports/htmlfile.js
@@ -73,7 +73,7 @@ HTMLFile.prototype.handleRequest = function (req) {
 
 HTMLFile.prototype.write = function (data) {
   // escape all forward slashes. see GH-1251
-  data = '<script>_(' + JSON.stringify(data).replace(/\//g, '//') + ');</script>';
+  data = '<script>_(' + JSON.stringify(data).replace(/\//g, '\\/') + ');</script>';
 
   if (this.response.write(data)) {
     this.drained = true;

diff --git a/test/transports.htmlfile.test.js b/test/transports.htmlfile.test.js
@@ -77,10 +77,14 @@ HTMLFile.prototype.data = function (path, opts, fn) {
 
           case 2:
             if (buf.indexOf(foot) != -1) {
-              var data = buf.slice(0, buf.indexOf(foot))
-                , obj = JSON.parse(data);
+              var data = buf.slice(0, buf.indexOf(foot));
 
-              fn(obj === '' ? obj : parser.decodePayload(obj), ++messages);
+              if (false === opts.parse) {
+                fn(data, ++messages);
+              } else {
+                var obj = JSON.parse(data);
+                fn(obj === '' ? obj : parser.decodePayload(obj), ++messages);
+              }
 
               buf = buf.substr(data.length + foot.length);
               state = 1;
@@ -453,6 +457,78 @@ module.exports = {
         }
       });
     });
+  },
+
+  'test escaping for security': function (done) {
+    var port = ++ports
+      , cl = client(port)
+      , io = create(cl)
+      , messaged = false;
+
+    io.configure(function () {
+      io.set('close timeout', 0);
+    });
+
+    io.sockets.on('connection', function (socket) {
+      socket.emit('</script> woot');
+
+      socket.on('disconnect', function () {
+        io.server.close();
+        done();
+      });
+    });
+
+    cl.handshake(function (sid) {
+      cl.data('/socket.io/{protocol}/htmlfile/' + sid, { parse: false }, function (msg, i) {
+        switch (i) {
+          case 2:
+            msg.should.not.include('</script');
+            cl.end();
+        }
+      });
+    });
+  },
+
+  'test that unescaping works': function(done){
+    var port = ++ports
+      , cl = client(port)
+      , io = create(cl)
+      , messaged = false;
+
+    io.configure(function () {
+      io.set('close timeout', 0);
+    });
+
+    io.sockets.on('connection', function (socket) {
+      socket.emit('woot </script> <//script>', '</script><script>');
+
+      socket.on('disconnect', function () {
+        io.server.close();
+        done();
+      });
+    });
+
+    cl.handshake(function (sid) {
+      cl.data('/socket.io/{protocol}/htmlfile/' + sid, function (msgs, i) {
+        switch (i) {
+          case 1:
+            msgs.should.have.length(1);
+            msgs[0].type.should.eql('connect');
+            msgs[0].endpoint.should.eql('');
+            break;
+
+          case 2:
+            msgs.should.have.length(1);
+            msgs[0].should.eql({
+                type: 'event'
+              , name: 'woot </script> <//script>'
+              , endpoint: ''
+              , args: ['</script><script>']
+            });
+            cl.end();
+        }
+      });
+    });
   }
 
 };