From 58a8e87979d68f001de9e52c00601b805bab303d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?=
 <m.goleb@gmail.com>
Date: Wed, 29 Apr 2020 16:39:04 +0200
Subject: [PATCH] Tests: Add tests for recently fixed manipulation XSS issues

Closes gh-4685
Ref gh-4642
Ref gh-4647

(cherry picked from commit dc06d68bdc4c2562b5cc530f21e668a17d78ee2d)
---
 test/unit/manipulation.js | 49 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index 3e50389d0..c997d7535 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2957,3 +2957,52 @@ testIframe(
 	// script-src restrictions completely.
 	QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
 );
+
+QUnit.test( "Sanitized HTML doesn't get unsanitized", function( assert ) {
+
+	var container,
+		counter = 0,
+		assertCount = 13,
+		done = assert.async( assertCount );
+
+	assert.expect( assertCount );
+
+	Globals.register( "xss" );
+	window.xss = sinon.spy();
+
+	container = jQuery( "<div></div>" );
+	container.appendTo( "#qunit-fixture" );
+
+	function test( htmlString ) {
+		var currCounter = counter,
+			div = jQuery( "<div></div>" );
+
+		counter++;
+
+		div.appendTo( container );
+		div.html( htmlString );
+
+		setTimeout( function() {
+			assert.ok( window.xss.withArgs( currCounter ).notCalled,
+				"Insecure code wasn't executed, input: " + htmlString );
+			done();
+		}, 1000 );
+	}
+
+	// Note: below test cases need to invoke the xss function with consecutive
+	// decimal parameters for the assertion messages to be correct.
+	// Thanks to Masato Kinugawa from Cure53 for providing the following test cases.
+	test( "<img alt=\"<x\" title=\"/><img src=url404 onerror=xss(0)>\">" );
+	test( "<img alt=\"\n<x\" title=\"/>\n<img src=url404 onerror=xss(1)>\">" );
+	test( "<style><style/><img src=url404 onerror=xss(2)>" );
+	test( "<xmp><xmp/><img src=url404 onerror=xss(3)>" );
+	test( "<title><title /><img src=url404 onerror=xss(4)>" );
+	test( "<iframe><iframe/><img src=url404 onerror=xss(5)>" );
+	test( "<noframes><noframes/><img src=url404 onerror=xss(6)>" );
+	test( "<noembed><noembed/><img src=url404 onerror=xss(7)>" );
+	test( "<noscript><noscript/><img src=url404 onerror=xss(8)>" );
+	test( "<foo\" alt=\"\" title=\"/><img src=url404 onerror=xss(9)>\">" );
+	test( "<img alt=\"<x\" title=\"\" src=\"/><img src=url404 onerror=xss(10)>\">" );
+	test( "<noscript/><img src=url404 onerror=xss(11)>" );
+	test( "<option><style></option></select><img src=url404 onerror=xss(12)></style>" );
+} );
-- 
2.39.5