Permalink
Browse files

Add unit test for xss in data target attribute

  • Loading branch information...
meeque authored and Johann-S committed Aug 25, 2017
1 parent bcad4bc commit 9612830701211d757ff95ceccbb494fd2e7ee17e
Showing with 36 additions and 0 deletions.
  1. +36 −0 js/tests/unit/modal.js
@@ -597,4 +597,40 @@ $(function () {
})
.trigger('click')
})

QUnit.test('should not parse target as html', function (assert) {
assert.expect(1)
var done = assert.async()

var $toggleBtn = $('<button data-toggle="modal" data-target="&lt;div id=&quot;modal-test&quot;&gt;&lt;div class=&quot;contents&quot;&lt;div&lt;div id=&quot;close&quot; data-dismiss=&quot;modal&quot;/&gt;&lt;/div&gt;&lt;/div&gt;"/>')
.appendTo('#qunit-fixture')

$toggleBtn.trigger('click')
setTimeout(function () {
assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document')
done()
}, 1)
})

QUnit.test('should not execute js from target', function (assert) {
assert.expect(0)
var done = assert.async()

// This toggle button contains XSS payload in its data-target
// Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
// a script element works in manual tests though, so here it is likely blocked by the qunit framework
var $toggleBtn = $('<button data-toggle="modal" data-target="&lt;div&gt;&lt;image src=&quot;missing.png&quot; onerror=&quot;$(&apos;#qunit-fixture button.control&apos;).trigger(&apos;click&apos;)&quot;&gt;&lt;/div&gt;"/>')
.appendTo('#qunit-fixture')
// The XSS payload above does not have a closure over this function and cannot access the assert object directly
// However, it can send a click event to the following control button, which will then fail the assert
$('<button>')
.addClass('control')
.on('click', function () {
assert.notOk(true, 'XSS payload is not executed as js')
})
.appendTo('#qunit-fixture')

$toggleBtn.trigger('click')
setTimeout(done, 500)
})
})

0 comments on commit 9612830

Please sign in to comment.