diff --git a/spec/messages.js b/spec/messages.js index 770879dbb..63441c7a9 100644 --- a/spec/messages.js +++ b/spec/messages.js @@ -889,66 +889,6 @@ done(); })); - it("will have properly escaped URLs", - mock.initConverse( - ['rosterGroupsFetched', 'chatBoxesFetched'], {}, - async function (done, _converse) { - - await test_utils.waitForRoster(_converse, 'current'); - await test_utils.openControlBox(_converse); - - const contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@montague.lit'; - await test_utils.openChatBoxFor(_converse, contact_jid) - const view = _converse.api.chatviews.get(contact_jid); - - let message = "http://www.opkode.com/'onmouseover='alert(1)'whatever"; - await test_utils.sendMessage(view, message); - - let msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML) - .toEqual('http://www.opkode.com/\'onmouseover=\'alert(1)\'whatever'); - - message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever'; - await test_utils.sendMessage(view, message); - - msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML).toEqual('http://www.opkode.com/"onmouseover="alert(1)"whatever'); - - message = "https://en.wikipedia.org/wiki/Ender's_Game"; - await test_utils.sendMessage(view, message); - - msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML).toEqual(''+message+''); - - message = ""; - await test_utils.sendMessage(view, message); - - msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML).toEqual( - `<https://bugs.documentfoundation.org/show_bug.cgi?id=123737>`); - - message = ''; - await test_utils.sendMessage(view, message); - - msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML).toEqual( - '<http://www.opkode.com/"onmouseover="alert(1)"whatever>'); - - message = `https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2` - await test_utils.sendMessage(view, message); - - msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop(); - expect(msg.textContent).toEqual(message); - expect(msg.innerHTML).toEqual( - `https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2`); - done(); - })); - it("will render newlines", mock.initConverse( ['rosterGroupsFetched', 'chatBoxesFetched'], {}, diff --git a/spec/muc.js b/spec/muc.js index c2d4f8fdd..e16a1d244 100644 --- a/spec/muc.js +++ b/spec/muc.js @@ -1731,38 +1731,6 @@ done(); })); - it("escapes occupant nicknames when rendering them, to avoid JS-injection attacks", - mock.initConverse(['rosterGroupsFetched'], {}, - async function (done, _converse) { - - await test_utils.openAndEnterChatRoom(_converse, 'lounge@montague.lit', 'romeo'); - /* - * - * - * - * - * " - */ - const presence = $pres({ - to:'romeo@montague.lit/pda', - from:"lounge@montague.lit/<img src="x" onerror="alert(123)"/>" - }).c('x').attrs({xmlns:'http://jabber.org/protocol/muc#user'}) - .c('item').attrs({ - jid: 'someone@montague.lit', - role: 'moderator', - }).up() - .c('status').attrs({code:'110'}).nodeTree; - - _converse.connection._dataRecv(test_utils.createRequest(presence)); - const view = _converse.chatboxviews.get('lounge@montague.lit'); - await u.waitUntil(() => view.el.querySelectorAll('li .occupant-nick').length, 500); - const occupants = view.el.querySelector('.occupant-list').querySelectorAll('li .occupant-nick'); - expect(occupants.length).toBe(2); - expect(occupants[0].textContent.trim()).toBe("<img src="x" onerror="alert(123)"/>"); - done(); - })); - it("indicates moderators and visitors by means of a special css class and tooltip", mock.initConverse( ['rosterGroupsFetched'], {'view_mode': 'fullscreen'}, @@ -2234,25 +2202,6 @@ done(); })); - it("escapes the subject before rendering it, to avoid JS-injection attacks", - mock.initConverse( - ['rosterGroupsFetched'], {}, - async function (done, _converse) { - - await test_utils.openAndEnterChatRoom(_converse, 'jdev@conference.jabber.org', 'jc'); - spyOn(window, 'alert'); - const subject = ''; - const view = _converse.chatboxviews.get('jdev@conference.jabber.org'); - view.model.set({'subject': { - 'text': subject, - 'author': 'ralphm' - }}); - expect(sizzle('.chat-event:last').pop().textContent.trim()).toBe('Topic set by ralphm'); - expect(view.el.querySelector('.chat-head__desc').textContent.trim()).toBe(subject); - done(); - })); - - it("reconnects when no-acceptable error is returned when sending a message", mock.initConverse( ['rosterGroupsFetched'], {}, diff --git a/tests/runner.js b/tests/runner.js index 62b32806a..8878c96b1 100644 --- a/tests/runner.js +++ b/tests/runner.js @@ -65,7 +65,8 @@ var specs = [ "spec/login", "spec/register", "spec/http-file-upload", - "spec/emojis" + "spec/emojis", + "spec/xss" ]; require(['console-reporter', 'mock', 'sinon'], (ConsoleReporter, mock, sinon) => {