From acc37c23625430ba00af5a71364915cbdacb0822 Mon Sep 17 00:00:00 2001
From: Joni <45562391+ujoni@users.noreply.github.com>
Date: Thu, 18 Apr 2019 14:56:21 +0300
Subject: [PATCH] Test for xss attack (#5519)
Test for #5498
---
.../vaadin/flow/uitest/ui/RouteNotFoundIT.java | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java b/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
index 674f1d4cd14..28063ab4f80 100644
--- a/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
+++ b/flow-tests/test-root-context/src/test/java/com/vaadin/flow/uitest/ui/RouteNotFoundIT.java
@@ -6,23 +6,35 @@
import com.vaadin.flow.testutil.ChromeBrowserTest;
public class RouteNotFoundIT extends ChromeBrowserTest {
+ /*
+ Original script:
+
+ */
+ private static final String INJECT_ATTACK = "%3Cimg%20src%3Dx%20onerror" +
+ "%3D%28function%28%29%7Bd%3Ddocument.createElement%28%22DIV%22%" +
+ "29%3Bdocument.body.appendChild%28d%29%3Bd.id%3D%22injected%22%" +
+ "3B%7D%29%28%29%3E";
@Test
public void notFoundDevMode() {
- getDriver().get(getRootURL() + "/view/notfound");
+ getDriver().get(getRootURL() + "/view/notfound/" + INJECT_ATTACK);
String pageSource = getDriver().getPageSource();
Assert.assertTrue(pageSource.contains("Available routes"));
Assert.assertTrue(pageSource.contains("noParent"));
Assert.assertTrue(pageSource.contains("foo/bar"));
+ // check that
did not inject div via script
+ Assert.assertFalse(pageSource.contains("