diff --git a/spec/messages.js b/spec/messages.js
index 770879dbb..63441c7a9 100644
--- a/spec/messages.js
+++ b/spec/messages.js
@@ -889,66 +889,6 @@
done();
}));
- it("will have properly escaped URLs",
- mock.initConverse(
- ['rosterGroupsFetched', 'chatBoxesFetched'], {},
- async function (done, _converse) {
-
- await test_utils.waitForRoster(_converse, 'current');
- await test_utils.openControlBox(_converse);
-
- const contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@montague.lit';
- await test_utils.openChatBoxFor(_converse, contact_jid)
- const view = _converse.api.chatviews.get(contact_jid);
-
- let message = "http://www.opkode.com/'onmouseover='alert(1)'whatever";
- await test_utils.sendMessage(view, message);
-
- let msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML)
- .toEqual('http://www.opkode.com/\'onmouseover=\'alert(1)\'whatever');
-
- message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever';
- await test_utils.sendMessage(view, message);
-
- msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML).toEqual('http://www.opkode.com/"onmouseover="alert(1)"whatever');
-
- message = "https://en.wikipedia.org/wiki/Ender's_Game";
- await test_utils.sendMessage(view, message);
-
- msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML).toEqual(''+message+'');
-
- message = "";
- await test_utils.sendMessage(view, message);
-
- msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML).toEqual(
- `<https://bugs.documentfoundation.org/show_bug.cgi?id=123737>`);
-
- message = '';
- await test_utils.sendMessage(view, message);
-
- msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML).toEqual(
- '<http://www.opkode.com/"onmouseover="alert(1)"whatever>');
-
- message = `https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2`
- await test_utils.sendMessage(view, message);
-
- msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
- expect(msg.textContent).toEqual(message);
- expect(msg.innerHTML).toEqual(
- `https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2`);
- done();
- }));
-
it("will render newlines",
mock.initConverse(
['rosterGroupsFetched', 'chatBoxesFetched'], {},
diff --git a/spec/muc.js b/spec/muc.js
index c2d4f8fdd..e16a1d244 100644
--- a/spec/muc.js
+++ b/spec/muc.js
@@ -1731,38 +1731,6 @@
done();
}));
- it("escapes occupant nicknames when rendering them, to avoid JS-injection attacks",
- mock.initConverse(['rosterGroupsFetched'], {},
- async function (done, _converse) {
-
- await test_utils.openAndEnterChatRoom(_converse, 'lounge@montague.lit', 'romeo');
- /*
- *
- *
- *
- *
- * "
- */
- const presence = $pres({
- to:'romeo@montague.lit/pda',
- from:"lounge@montague.lit/<img src="x" onerror="alert(123)"/>"
- }).c('x').attrs({xmlns:'http://jabber.org/protocol/muc#user'})
- .c('item').attrs({
- jid: 'someone@montague.lit',
- role: 'moderator',
- }).up()
- .c('status').attrs({code:'110'}).nodeTree;
-
- _converse.connection._dataRecv(test_utils.createRequest(presence));
- const view = _converse.chatboxviews.get('lounge@montague.lit');
- await u.waitUntil(() => view.el.querySelectorAll('li .occupant-nick').length, 500);
- const occupants = view.el.querySelector('.occupant-list').querySelectorAll('li .occupant-nick');
- expect(occupants.length).toBe(2);
- expect(occupants[0].textContent.trim()).toBe("<img src="x" onerror="alert(123)"/>");
- done();
- }));
-
it("indicates moderators and visitors by means of a special css class and tooltip",
mock.initConverse(
['rosterGroupsFetched'], {'view_mode': 'fullscreen'},
@@ -2234,25 +2202,6 @@
done();
}));
- it("escapes the subject before rendering it, to avoid JS-injection attacks",
- mock.initConverse(
- ['rosterGroupsFetched'], {},
- async function (done, _converse) {
-
- await test_utils.openAndEnterChatRoom(_converse, 'jdev@conference.jabber.org', 'jc');
- spyOn(window, 'alert');
- const subject = '';
- const view = _converse.chatboxviews.get('jdev@conference.jabber.org');
- view.model.set({'subject': {
- 'text': subject,
- 'author': 'ralphm'
- }});
- expect(sizzle('.chat-event:last').pop().textContent.trim()).toBe('Topic set by ralphm');
- expect(view.el.querySelector('.chat-head__desc').textContent.trim()).toBe(subject);
- done();
- }));
-
-
it("reconnects when no-acceptable error is returned when sending a message",
mock.initConverse(
['rosterGroupsFetched'], {},
diff --git a/tests/runner.js b/tests/runner.js
index 62b32806a..8878c96b1 100644
--- a/tests/runner.js
+++ b/tests/runner.js
@@ -65,7 +65,8 @@ var specs = [
"spec/login",
"spec/register",
"spec/http-file-upload",
- "spec/emojis"
+ "spec/emojis",
+ "spec/xss"
];
require(['console-reporter', 'mock', 'sinon'], (ConsoleReporter, mock, sinon) => {