def _set_HTML_property(function, new_value, traverser):
if not isinstance(new_value, jstypes.JSWrapper):
new_value = jstypes.JSWrapper(new_value, traverser=traverser)
if new_value.is_literal():
literal_value = new_value.get_literal_value()
if isinstance(literal_value, types.StringTypes):
# Static string assignments
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
traverser.warning(
err_id=("testcases_javascript_instancetypes",
"set_%s" % function, "event_assignment"),
warning="Event handler assignment via %s" % function,
description=("When assigning event handlers, %s "
"should never be used. Rather, use a "
"proper technique, like addEventListener." %
function,
"Event handler code: %s" %
literal_value.encode("ascii", "replace")),
signing_severity="medium")
elif ("<script" in literal_value or
JS_URL.search(literal_value)):
traverser.err.warning(
err_id=("testcases_javascript_instancetypes",
"set_%s" % function, "script_assignment"),
warning="Scripts should not be created with `%s`" %
function,
description="`%s` should not be used to add scripts to "
"pages via script tags or JavaScript URLs. "
"Instead, use event listeners and external "
"JavaScript." % function,
signing_severity="medium")
else:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from validator.testcases.markup.markuptester import \
MarkupParser
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, "xul")
else:
# Variable assignments
traverser.err.warning(
err_id=("testcases_javascript_instancetypes", "set_%s" % function,
"variable_assignment"),
warning="Markup should not be passed to `%s` dynamically." %
function,
description="Due to both security and performance concerns, "
"%s may not be set using dynamic values which have "
"not been adequately sanitized. This can lead to "
"security issues or fairly serious performance "
"degradation." % function,
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context)
def test(versions):
err = ErrorBundle()
err.supported_versions = versions
parser = MarkupParser(err)
parser.process(name,
data,
name.split(".")[-1])
print err.print_summary(verbose=True)
assert not err.failed()
return err
def test(versions):
err = ErrorBundle()
err.supported_versions = versions
parser = MarkupParser(err)
parser.process(name,
data,
name.split(".")[-1])
print err.print_summary(verbose=True)
assert not err.failed()
return err
def set_innerHTML(new_value, traverser):
"""Tests that values being assigned to innerHTML are not dangerous."""
if not isinstance(new_value, jstypes.JSWrapper):
new_value = jstypes.JSWrapper(new_value, traverser=traverser)
if new_value.is_literal():
literal_value = new_value.get_literal_value()
if isinstance(literal_value, types.StringTypes):
# Static string assignments
# Test for on* attributes
event_assignment = re.compile("<.+ on[a-z]+=")
if event_assignment.search(literal_value.lower()):
traverser.err.warning(
err_id=("testcases_javascript_instancetypes",
"set_innerHTML", "event_assignment"),
warning="Event handler assignment via innerHTML",
description=["When assigning event handlers, innerHTML "
"should never be used. Rather, use a "
"proper technique, like addEventListener.",
"Event handler code: %s" %
literal_value.encode("ascii", "replace")],
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context)
else:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from validator.testcases.markup.markuptester import \
MarkupParser
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, "xul")
else:
# Variable assignments
traverser.err.warning(
err_id=("testcases_javascript_instancetypes", "set_innerHTML",
"variable_assignment"),
warning="innerHTML should not be set dynamically",
description="Due to both security and performance reasons, "
"innerHTML should not be set using dynamic "
"values. This can lead to security issues or "
"fairly serious performance degradation.",
filename=traverser.filename,
line=traverser.line,
column=traverser.position,
context=traverser.context)
def test_absolute_uris_in_markup():
"""
Test that a warning is thrown for absolute URIs within markup files.
"""
err = ErrorBundle()
bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>'
parser = MarkupParser(err)
parser.process("foo.html", bad_html, "html")
assert not err.failed()
err.metadata["is_jetpack"] = True
parser = MarkupParser(err)
parser.process("foo.html", bad_html, "html")
assert err.failed()
assert err.compat_summary["errors"]
def test_absolute_uris_in_markup():
"""
Test that a warning is thrown for absolute URIs within markup files.
"""
err = ErrorBundle()
bad_html = '<foo><bar src="resource://foo-data/bar/zap.png" /></foo>'
parser = MarkupParser(err)
parser.process('foo.html', bad_html, 'html')
assert not err.failed()
err.metadata['is_jetpack'] = True
parser = MarkupParser(err)
parser.process('foo.html', bad_html, 'html')
assert err.failed()
assert err.compat_summary['errors']
def set_HTML(function, new_value, traverser):
"""Test that values being assigned to innerHTML and outerHTML are not
dangerous."""
if new_value.is_literal:
literal_value = new_value.as_str()
# Static string assignments
HELP = ('Please avoid including JavaScript fragments in '
'HTML stored in JavaScript strings. Event listeners '
'should be added via `addEventListener` after the HTML '
'has been injected.',
'Injecting <script> nodes should be avoided when at all '
'possible. If you cannot avoid loading a script directly '
'into a content document, please consider doing so via '
'the subscript loader (http://mzl.la/1VGxOPC) instead. '
'If the subscript loader is not available, then the '
'script nodes should be created using `createElement`, '
'and should use a `src` attribute pointing to a '
'`resource:` URL within your extension.')
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'event_assignment'),
warning='Event handler assignment via %s' % function,
description=('When assigning event handlers, %s '
'should never be used. Rather, use a '
'proper technique, like addEventListener.' %
function, 'Event handler code: %s' %
literal_value.encode('ascii', 'replace')),
signing_help=HELP,
signing_severity='medium')
if '<script' in literal_value or JS_URL.search(literal_value):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'script_assignment'),
warning='Scripts should not be created with `%s`' % function,
description='`%s` should not be used to add scripts to '
'pages via script tags or JavaScript URLs. '
'Instead, use event listeners and external '
'JavaScript.' % function,
signing_help=HELP,
signing_severity='medium')
if new_value.is_clean_literal:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from validator.testcases.markup.markuptester import (MarkupParser)
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, 'html')
else:
# Variable assignments
traverser.warning(
err_id=('testcases_javascript_instancetypes', 'set_%s' % function,
'variable_assignment'),
warning='Markup should not be passed to `%s` dynamically.' %
function,
description='Due to both security and performance concerns, '
'%s may not be set using dynamic values which have '
'not been adequately sanitized. This can lead to '
'security issues or fairly serious performance '
'degradation.' % function)
def _set_HTML_property(function, new_value, traverser):
if not isinstance(new_value, jstypes.JSWrapper):
new_value = jstypes.JSWrapper(new_value, traverser=traverser)
if new_value.is_literal():
literal_value = new_value.get_literal_value()
if isinstance(literal_value, types.StringTypes):
# Static string assignments
HELP = ('Please avoid including JavaScript fragments in '
'HTML stored in JavaScript strings. Event listeners '
'should be added via `addEventListener` after the HTML '
'has been injected.',
'Injecting <script> nodes should be avoided when at all '
'possible. If you cannot avoid loading a script directly '
'into a content document, please consider doing so via '
'the subscript loader (http://mzl.la/1VGxOPC) instead. '
'If the subscript loader is not available, then the '
'script nodes should be created using `createElement`, '
'and should use a `src` attribute pointing to a '
'`resource:` URL within your extension.')
# Test for on* attributes and script tags.
if EVENT_ASSIGNMENT.search(literal_value.lower()):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'event_assignment'),
warning='Event handler assignment via %s' % function,
description=('When assigning event handlers, %s '
'should never be used. Rather, use a '
'proper technique, like addEventListener.'
% function,
'Event handler code: %s'
% literal_value.encode('ascii', 'replace')),
signing_help=HELP,
signing_severity='medium')
elif ('<script' in literal_value or
JS_URL.search(literal_value)):
traverser.warning(
err_id=('testcases_javascript_instancetypes',
'set_%s' % function, 'script_assignment'),
warning='Scripts should not be created with `%s`'
% function,
description='`%s` should not be used to add scripts to '
'pages via script tags or JavaScript URLs. '
'Instead, use event listeners and external '
'JavaScript.' % function,
signing_help=HELP,
signing_severity='medium')
else:
# Everything checks out, but we still want to pass it through
# the markup validator. Turn off strict mode so we don't get
# warnings about malformed HTML.
from validator.testcases.markup.markuptester import (
MarkupParser)
parser = MarkupParser(traverser.err, strict=False, debug=True)
parser.process(traverser.filename, literal_value, 'xul')
else:
# Variable assignments
traverser.warning(
err_id=('testcases_javascript_instancetypes', 'set_%s' % function,
'variable_assignment'),
warning='Markup should not be passed to `%s` dynamically.'
% function,
description='Due to both security and performance concerns, '
'%s may not be set using dynamic values which have '
'not been adequately sanitized. This can lead to '
'security issues or fairly serious performance '
'degradation.' % function)
