Skip to content

Commit

Permalink
Update test cases for:
Browse files Browse the repository at this point in the history 
* fragment injection
* query string injection
* domain redirect
  • Loading branch information
alxndrsn committed Sep 25, 2023
1 parent 503dd87 commit 46339c1
Showing 1 changed file with 39 additions and 7 deletions.
46 changes: 39 additions & 7 deletions test/unit/util/html.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,45 @@ describe('util/html', () => {

describe('safeNextPathFrom()', () => {
[
[ '/-/xyz', 'http://localhost:8989/-/xyz' ], // eslint-disable-line no-multi-spaces
[ '/account/edit', '/#/account/edit' ], // eslint-disable-line no-multi-spaces
[ '/users', '/#/users' ], // eslint-disable-line no-multi-spaces
[ '/users"><badTag ', '/#/users%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ 'http://example.com', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'https://example.com', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'javascript:badFn()', '/#/' ], // eslint-disable-line no-multi-spaces,no-script-url
// odk-central-frontend
[ '/account/edit', '/#/account/edit' ], // eslint-disable-line no-multi-spaces
[ '/users', '/#/users' ], // eslint-disable-line no-multi-spaces
[ '/users"><badTag ', '/#/users%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// query params
[ '/users?"><badTag ', '/#/users?%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?="><badTag ', '/#/users?=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?a="><badTag ', '/#/users?a=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users?"=><badTag ', '/#/users?%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// fragments
[ '/users#"><badTag ', '/#/users#%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#="><badTag ', '/#/users#=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#a="><badTag ', '/#/users#a=%22%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces
[ '/users#"=><badTag ', '/#/users#%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// query string & fragment
[ '/users?"=1#"=><badTag ', '/#/users?%22=1#%22=%3E%3CbadTag' ], // eslint-disable-line no-multi-spaces

// enketo-express
[ '/-/xyz', 'http://localhost:8989/-/xyz' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz?"><b', 'http://localhost:8989/-/xyz?%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz#"><b', 'http://localhost:8989/-/xyz#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces
[ '/-/xyz?"><b#"><b', 'http://localhost:8989/-/xyz?%22%3E%3Cb#%22%3E%3Cb' ], // eslint-disable-line no-multi-spaces

// bad domain
[ 'http://example.com', '/#/' ], // eslint-disable-line no-multi-spaces
// with @ char - not a problem if positioned in fragment or after first `/`:
[ '@baddomain.com', '/#/@baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '/-/@baddomain.com', 'http://localhost:8989/-/@baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '&64;baddomain.com', '/#/&64;baddomain.com' ], // eslint-disable-line no-multi-spaces
[ '/-/&64;baddomain.com', 'http://localhost:8989/-/&64;baddomain.com' ], // eslint-disable-line no-multi-spaces
[ 'http://localhost:8989@baddomain.com', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'http://localhost:8989@baddomain.com', '/#/' ], // eslint-disable-line no-multi-spaces

// bad protocols
[ 'https://localhost:8989', '/#/' ], // eslint-disable-line no-multi-spaces
[ 'javascript:badFn()', '/#/' ], // eslint-disable-line no-multi-spaces,no-script-url
].forEach(([next, expected]) => {
it(`should convert next=${next} to ${expected}`, () => {
safeNextPathFrom(next).should.equal(expected);
Expand Down

0 comments on commit 46339c1

Please sign in to comment.