def test_absolute_uris_in_markup(): """ Test that a warning is thrown for absolute URIs within markup files. """ err = ErrorBundle() bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>' parser = MarkupParser(err) parser.process("foo.html", bad_html, "html") assert not err.failed() err.metadata["is_jetpack"] = True parser = MarkupParser(err) parser.process("foo.html", bad_html, "html") assert err.failed() assert err.compat_summary["errors"]
def test(versions): err = ErrorBundle() err.supported_versions = versions parser = MarkupParser(err) parser.process(name, data, name.split(".")[-1]) print err.print_summary(verbose=True) assert not err.failed() return err
def set_HTML(function, new_value, traverser): """Test that values being assigned to innerHTML and outerHTML are not dangerous.""" if new_value.is_literal: literal_value = new_value.as_str() # Static string assignments HELP = ('Please avoid including JavaScript fragments in ' 'HTML stored in JavaScript strings. Event listeners ' 'should be added via `addEventListener` after the HTML ' 'has been injected.', 'Injecting <script> nodes should be avoided when at all ' 'possible. If you cannot avoid loading a script directly ' 'into a content document, please consider doing so via ' 'the subscript loader (http://mzl.la/1VGxOPC) instead. ' 'If the subscript loader is not available, then the ' 'script nodes should be created using `createElement`, ' 'and should use a `src` attribute pointing to a ' '`resource:` URL within your extension.') # Test for on* attributes and script tags. if EVENT_ASSIGNMENT.search(literal_value.lower()): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'event_assignment'), warning='Event handler assignment via %s' % function, description=('When assigning event handlers, %s ' 'should never be used. Rather, use a ' 'proper technique, like addEventListener.' % function, 'Event handler code: %s' % literal_value.encode('ascii', 'replace')), signing_help=HELP, signing_severity='medium') if '<script' in literal_value or JS_URL.search(literal_value): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'script_assignment'), warning='Scripts should not be created with `%s`' % function, description='`%s` should not be used to add scripts to ' 'pages via script tags or JavaScript URLs. ' 'Instead, use event listeners and external ' 'JavaScript.' % function, signing_help=HELP, signing_severity='medium') if new_value.is_clean_literal: # Everything checks out, but we still want to pass it through # the markup validator. Turn off strict mode so we don't get # warnings about malformed HTML. from validator.testcases.markup.markuptester import (MarkupParser) parser = MarkupParser(traverser.err, strict=False, debug=True) parser.process(traverser.filename, literal_value, 'html') else: # Variable assignments traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'variable_assignment'), warning='Markup should not be passed to `%s` dynamically.' % function, description='Due to both security and performance concerns, ' '%s may not be set using dynamic values which have ' 'not been adequately sanitized. This can lead to ' 'security issues or fairly serious performance ' 'degradation.' % function)