diff --git a/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java b/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
index 674f1d4cd14..28063ab4f80 100644
--- a/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
+++ b/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
@@ -6,23 +6,35 @@
import com.vaadin.flow.testutil.ChromeBrowserTest;
public class RouteNotFoundIT extends ChromeBrowserTest {
+ /*
+ Original script:
+
+ */
+ private static final String INJECT_ATTACK = "%3Cimg%20src%3Dx%20onerror" +
+ "%3D%28function%28%29%7Bd%3Ddocument.createElement%28%22DIV%22%" +
+ "29%3Bdocument.body.appendChild%28d%29%3Bd.id%3D%22injected%22%" +
+ "3B%7D%29%28%29%3E";
@Test
public void notFoundDevMode() {
- getDriver().get(getRootURL() + "/view/notfound");
+ getDriver().get(getRootURL() + "/view/notfound/" + INJECT_ATTACK);
String pageSource = getDriver().getPageSource();
Assert.assertTrue(pageSource.contains("Available routes"));
Assert.assertTrue(pageSource.contains("noParent"));
Assert.assertTrue(pageSource.contains("foo/bar"));
+ // check that
did not inject div via script
+ Assert.assertFalse(pageSource.contains("