var setup_xss_test = function(html, options, done) {
window.xss = function() {
window.clearTimeout(timeout);
complete(new Error('Exploit executed'));
};
var test = setup_test(html, options);
var complete = function(err) {
window.xss = function() {};
done(err);
};
var timeout = window.setTimeout(complete, 75);
return test;
};
describe('XSS', function() {
it_n('Raw HTML in original input value should not trigger exploit', function(done) {
setup_xss_test('', {}, done);
});
it_n('Raw HTML in optgroup label should not trigger exploit', function(done) {
var test = setup_xss_test('', {}, done);
test.instance.refreshOptions();
test.instance.open();
});
it_n('Raw HTML in option label should not trigger exploit', function(done) {
setup_xss_test('', {
options: [
{value: '1', label: '
'}
],
items: ['1'],
}, done);
});
it_n('Raw HTML in option value should not trigger exploit', function(done) {
setup_xss_test('', {
options: [
{value: '', label: '1'}
],
items: [''],
}, done);
});
it_n('Custom templates should not trigger exploit', function(done) {
setup_xss_test('', {
options: [
{value:'1',label: ''}
],
items: ['1'],
render:{
'item': function(data, escape) {
return '' + escape(data.label) + '
';
},
}
}, done);
});
});