def test_absolute_uris_in_markup():
"""
Test that a warning is thrown for absolute URIs within markup files.
"""
err = ErrorBundle()
bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>'
parser = MarkupParser(err)
parser.process("foo.html", bad_html, "html")
assert not err.failed()
err.metadata["is_jetpack"] = True
parser = MarkupParser(err)
parser.process("foo.html", bad_html, "html")
assert err.failed()
assert err.compat_summary["errors"]
def test(versions):
err = ErrorBundle()
err.supported_versions = versions
parser = MarkupParser(err)
parser.process(name,
data,
name.split(".")[-1])
print err.print_summary(verbose=True)
assert not err.failed()
return err
def set_HTML(function, new_value, traverser):
"""Test that values being assigned to innerHTML and outerHTML are not
dangerous."""
if new_value.is_literal:
literal_value = new_value.as_str()
# Static string assignments
HELP = ('Please avoid including JavaScript fragments in '
'HTML stored in JavaScript strings. Event listeners '
'should be added via `addEventListener` after the HTML '
'has been injected.',
'Injecting <script> nodes should be avoided when at all '
'possible. If you cannot avoid loading a script directly '
'into a content document, please consider doing so via '
'the subscript loader (http://mzl.la/1VGxOPC) instead. '
'If the subscript loader is not available, then the '
'script nodes should be created using `createElement`, '
'and should use a `src` attribute pointing to a '
'`resource:` URL within your extension.')
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'event_assignment'),
warning='Event handler assignment via %s' % function,
description=('When assigning event handlers, %s '
'should never be used. Rather, use a '
'proper technique, like addEventListener.' %
function, 'Event handler code: %s' %
literal_value.encode('ascii', 'replace')),
signing_help=HELP,
signing_severity='medium')
if '<script' in literal_value or JS_URL.search(literal_value):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'script_assignment'),
warning='Scripts should not be created with `%s`' % function,
description='`%s` should not be used to add scripts to '
'pages via script tags or JavaScript URLs. '
'Instead, use event listeners and external '
'JavaScript.' % function,
signing_help=HELP,
signing_severity='medium')
if new_value.is_clean_literal:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from validator.testcases.markup.markuptester import (MarkupParser)
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, 'html')
else:
# Variable assignments
traverser.warning(
err_id=('testcases_javascript_instancetypes', 'set_%s' % function,
'variable_assignment'),
warning='Markup should not be passed to `%s` dynamically.' %
function,
description='Due to both security and performance concerns, '
'%s may not be set using dynamic values which have '
'not been adequately sanitized. This can lead to '
'security issues or fairly serious performance '
'degradation.' % function)
