def _set_HTML_property(function, new_value, traverser): if not isinstance(new_value, jstypes.JSWrapper): new_value = jstypes.JSWrapper(new_value, traverser=traverser) if new_value.is_literal(): literal_value = new_value.get_literal_value() if isinstance(literal_value, types.StringTypes): # Static string assignments # Test for on* attributes and script tags. if EVENT_ASSIGNMENT.search(literal_value.lower()): traverser.warning( err_id=("testcases_javascript_instancetypes", "set_%s" % function, "event_assignment"), warning="Event handler assignment via %s" % function, description=("When assigning event handlers, %s " "should never be used. Rather, use a " "proper technique, like addEventListener." % function, "Event handler code: %s" % literal_value.encode("ascii", "replace")), signing_severity="medium") elif ("<script" in literal_value or JS_URL.search(literal_value)): traverser.err.warning( err_id=("testcases_javascript_instancetypes", "set_%s" % function, "script_assignment"), warning="Scripts should not be created with `%s`" % function, description="`%s` should not be used to add scripts to " "pages via script tags or JavaScript URLs. " "Instead, use event listeners and external " "JavaScript." % function, signing_severity="medium") else: # Everything checks out, but we still want to pass it through # the markup validator. Turn off strict mode so we don't get # warnings about malformed HTML. from validator.testcases.markup.markuptester import \ MarkupParser parser = MarkupParser(traverser.err, strict=False, debug=True) parser.process(traverser.filename, literal_value, "xul") else: # Variable assignments traverser.err.warning( err_id=("testcases_javascript_instancetypes", "set_%s" % function, "variable_assignment"), warning="Markup should not be passed to `%s` dynamically." % function, description="Due to both security and performance concerns, " "%s may not be set using dynamic values which have " "not been adequately sanitized. This can lead to " "security issues or fairly serious performance " "degradation." % function, filename=traverser.filename, line=traverser.line, column=traverser.position, context=traverser.context)
def test(versions): err = ErrorBundle() err.supported_versions = versions parser = MarkupParser(err) parser.process(name, data, name.split(".")[-1]) print err.print_summary(verbose=True) assert not err.failed() return err
def set_innerHTML(new_value, traverser): """Tests that values being assigned to innerHTML are not dangerous.""" if not isinstance(new_value, jstypes.JSWrapper): new_value = jstypes.JSWrapper(new_value, traverser=traverser) if new_value.is_literal(): literal_value = new_value.get_literal_value() if isinstance(literal_value, types.StringTypes): # Static string assignments # Test for on* attributes event_assignment = re.compile("<.+ on[a-z]+=") if event_assignment.search(literal_value.lower()): traverser.err.warning( err_id=("testcases_javascript_instancetypes", "set_innerHTML", "event_assignment"), warning="Event handler assignment via innerHTML", description=["When assigning event handlers, innerHTML " "should never be used. Rather, use a " "proper technique, like addEventListener.", "Event handler code: %s" % literal_value.encode("ascii", "replace")], filename=traverser.filename, line=traverser.line, column=traverser.position, context=traverser.context) else: # Everything checks out, but we still want to pass it through # the markup validator. Turn off strict mode so we don't get # warnings about malformed HTML. from validator.testcases.markup.markuptester import \ MarkupParser parser = MarkupParser(traverser.err, strict=False, debug=True) parser.process(traverser.filename, literal_value, "xul") else: # Variable assignments traverser.err.warning( err_id=("testcases_javascript_instancetypes", "set_innerHTML", "variable_assignment"), warning="innerHTML should not be set dynamically", description="Due to both security and performance reasons, " "innerHTML should not be set using dynamic " "values. This can lead to security issues or " "fairly serious performance degradation.", filename=traverser.filename, line=traverser.line, column=traverser.position, context=traverser.context)
def test_absolute_uris_in_markup(): """ Test that a warning is thrown for absolute URIs within markup files. """ err = ErrorBundle() bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>' parser = MarkupParser(err) parser.process("foo.html", bad_html, "html") assert not err.failed() err.metadata["is_jetpack"] = True parser = MarkupParser(err) parser.process("foo.html", bad_html, "html") assert err.failed() assert err.compat_summary["errors"]
def test_absolute_uris_in_markup(): """ Test that a warning is thrown for absolute URIs within markup files. """ err = ErrorBundle() bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>' parser = MarkupParser(err) parser.process('foo.html', bad_html, 'html') assert not err.failed() err.metadata['is_jetpack'] = True parser = MarkupParser(err) parser.process('foo.html', bad_html, 'html') assert err.failed() assert err.compat_summary['errors']
def set_HTML(function, new_value, traverser): """Test that values being assigned to innerHTML and outerHTML are not dangerous.""" if new_value.is_literal: literal_value = new_value.as_str() # Static string assignments HELP = ('Please avoid including JavaScript fragments in ' 'HTML stored in JavaScript strings. Event listeners ' 'should be added via `addEventListener` after the HTML ' 'has been injected.', 'Injecting <script> nodes should be avoided when at all ' 'possible. If you cannot avoid loading a script directly ' 'into a content document, please consider doing so via ' 'the subscript loader (http://mzl.la/1VGxOPC) instead. ' 'If the subscript loader is not available, then the ' 'script nodes should be created using `createElement`, ' 'and should use a `src` attribute pointing to a ' '`resource:` URL within your extension.') # Test for on* attributes and script tags. if EVENT_ASSIGNMENT.search(literal_value.lower()): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'event_assignment'), warning='Event handler assignment via %s' % function, description=('When assigning event handlers, %s ' 'should never be used. Rather, use a ' 'proper technique, like addEventListener.' % function, 'Event handler code: %s' % literal_value.encode('ascii', 'replace')), signing_help=HELP, signing_severity='medium') if '<script' in literal_value or JS_URL.search(literal_value): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'script_assignment'), warning='Scripts should not be created with `%s`' % function, description='`%s` should not be used to add scripts to ' 'pages via script tags or JavaScript URLs. ' 'Instead, use event listeners and external ' 'JavaScript.' % function, signing_help=HELP, signing_severity='medium') if new_value.is_clean_literal: # Everything checks out, but we still want to pass it through # the markup validator. Turn off strict mode so we don't get # warnings about malformed HTML. from validator.testcases.markup.markuptester import (MarkupParser) parser = MarkupParser(traverser.err, strict=False, debug=True) parser.process(traverser.filename, literal_value, 'html') else: # Variable assignments traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'variable_assignment'), warning='Markup should not be passed to `%s` dynamically.' % function, description='Due to both security and performance concerns, ' '%s may not be set using dynamic values which have ' 'not been adequately sanitized. This can lead to ' 'security issues or fairly serious performance ' 'degradation.' % function)
def _set_HTML_property(function, new_value, traverser): if not isinstance(new_value, jstypes.JSWrapper): new_value = jstypes.JSWrapper(new_value, traverser=traverser) if new_value.is_literal(): literal_value = new_value.get_literal_value() if isinstance(literal_value, types.StringTypes): # Static string assignments HELP = ('Please avoid including JavaScript fragments in ' 'HTML stored in JavaScript strings. Event listeners ' 'should be added via `addEventListener` after the HTML ' 'has been injected.', 'Injecting <script> nodes should be avoided when at all ' 'possible. If you cannot avoid loading a script directly ' 'into a content document, please consider doing so via ' 'the subscript loader (http://mzl.la/1VGxOPC) instead. ' 'If the subscript loader is not available, then the ' 'script nodes should be created using `createElement`, ' 'and should use a `src` attribute pointing to a ' '`resource:` URL within your extension.') # Test for on* attributes and script tags. if EVENT_ASSIGNMENT.search(literal_value.lower()): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'event_assignment'), warning='Event handler assignment via %s' % function, description=('When assigning event handlers, %s ' 'should never be used. Rather, use a ' 'proper technique, like addEventListener.' % function, 'Event handler code: %s' % literal_value.encode('ascii', 'replace')), signing_help=HELP, signing_severity='medium') elif ('<script' in literal_value or JS_URL.search(literal_value)): traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'script_assignment'), warning='Scripts should not be created with `%s`' % function, description='`%s` should not be used to add scripts to ' 'pages via script tags or JavaScript URLs. ' 'Instead, use event listeners and external ' 'JavaScript.' % function, signing_help=HELP, signing_severity='medium') else: # Everything checks out, but we still want to pass it through # the markup validator. Turn off strict mode so we don't get # warnings about malformed HTML. from validator.testcases.markup.markuptester import ( MarkupParser) parser = MarkupParser(traverser.err, strict=False, debug=True) parser.process(traverser.filename, literal_value, 'xul') else: # Variable assignments traverser.warning( err_id=('testcases_javascript_instancetypes', 'set_%s' % function, 'variable_assignment'), warning='Markup should not be passed to `%s` dynamically.' % function, description='Due to both security and performance concerns, ' '%s may not be set using dynamic values which have ' 'not been adequately sanitized. This can lead to ' 'security issues or fairly serious performance ' 'degradation.' % function)