<html>
<head>
<script src="../../resources/js-test.js"></script>
</head>
<body>
<div id="hidden" style="visibility: hidden">
<script id="script">/*"'&<> "'&<> "'&<> */</script>
<style id="style">/*"'&<> "'&<> "'&<> */</style>
<textarea id="textarea">/*"'&<> "'&<> "'&<> */</textarea>
<xmp id="xmp">/*"'&<> "'&<> "'&<> */</xmp>
</div>
<script>
description("Tests that accessing the innerHTML property of a text node encodes harmful entities which can result in cross site scripting.");
var tests = [ ['innerHTML("script")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
['innerHTML("style")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
['innerHTML("textarea")', '"/*\\"\'&<> \\"\'&<> \\"\'&<> */"'],
['innerHTML("xmp")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
['outerHTML("script")' , '"<script id=\\"script\\">/*"'&<> "'&<> \\"\'&<> */<\/script>"'],
['outerHTML("style")' , '"<style id=\\"style\\">/*"'&<> "'&<> \\"\'&<> */<\/style>"'],
['outerHTML("textarea")', '"<textarea id=\\"textarea\\">/*\\"\'&<> \\"\'&<> \\"\'&<> */<\/textarea>"'],
['outerHTML("xmp")' , '"<xmp id=\\"xmp\\">/*"'&<> "'&<> \\"\'&<> */<\/xmp>"'],
];
function innerHTML(textnode) {
return document.getElementById(textnode).innerHTML;
}
function outerHTML(textnode) {
return document.getElementById(textnode).outerHTML;
}
for (var i in tests) {
shouldBe(tests[i][0], tests[i][1]);
}
</script>
</body>
</html>
Codebase Browser
chromium