Bug 1768852 [wpt PR 34029] - [Trusted Types] Get list of event handle…

…rs from WebIDL, a=testonly Automatic update from web-platform-tests [Trusted Types] Get list of event handlers from WebIDL This change retrieves the list of attributes declared as event handlers from WebIDL and uses that to check for TrustedScript, instead of using the string prefix "on". Bug: 993268, 1084587 Change-Id: Ic15bc0994bcd19d9d7385cbef4af0f01af820ae1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3616765 Reviewed-by: Mason Freed <masonf@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1003034} -- wpt-commits: 559b045ea2d51a44b901f4d6b8b1baa94e633049 wpt-pr: 34029
mozilla · May 17, 2022 · 461e812 · 461e812
1 parent 03cf1a6
commit 461e812
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/testing/web-platform/tests/trusted-types/trusted-types-event-handlers.tentative.html b/testing/web-platform/tests/trusted-types/trusted-types-event-handlers.tentative.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+</head>
+<body>
+<script>
+const element = document.createElement("div");
+
+[
+  "onclick",
+  "onchange",
+  "onfocus",
+  "oNclick",
+  "OnClIcK"
+].forEach(name => {
+  test(t => {
+    assert_throws_js(TypeError,
+        _ => element.setAttribute(name, "2+2"));
+  }, `Event handler ${name} should be blocked.`);
+});
+
+[
+  "one",
+  "oNe",
+  "onIcon",
+  "offIcon",
+  "blubb"
+].forEach(name => {
+  test(t => {
+    element.setAttribute(name, "2+2");
+  }, `Non-event handler ${name} should not be blocked.`);
+});
+
+// We'd like to be sure we're not missing anything. Let's "query" an HTML
+// element about which attributes it knows.
+const div = document.createElement("div");
+for(name in div.__proto__) {
+  const should_be_event_handler = name.startsWith("on");
+  if (should_be_event_handler) {
+    test(t => {
+      assert_throws_js(TypeError,
+          _ => element.setAttribute(name, "2+2"));
+    }, `Event handler div.${name} should be blocked.`);
+  } else {
+    test(t => {
+      element.setAttribute(name, "2+2");
+    }, `Non-event handler div.${name} should not be blocked.`);
+  }
+}
+</script>
+</body>