aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2021-05-12 00:59:42 +0200
committerGitHub <noreply@github.com>2021-05-12 00:59:42 +0200
commitafe20b79a64266e64011f34b26a30b3d1c62fd47 (patch)
tree574ba09c71f24ae6f9728e88c5455301689d8a84 /tests
parenteffa323f1505f2ce7a324e4f429fa9032c72f280 (diff)
downloadjquery-ui-afe20b79a64266e64011f34b26a30b3d1c62fd47.tar.gz
jquery-ui-afe20b79a64266e64011f34b26a30b3d1c62fd47.zip
Datepicker: Make sure text option are text, shorten HTML strings
Instead of using enormous HTML strings, various elements are now constructed using jQuery APIs. This makes it more obvious user-provided data is used correctly. Fixes #15284 Closes gh-1953
Diffstat (limited to 'tests')
-rw-r--r--tests/unit/datepicker/options.js51
1 files changed, 51 insertions, 0 deletions
diff --git a/tests/unit/datepicker/options.js b/tests/unit/datepicker/options.js
index e5e938a0f..e58b9a75d 100644
--- a/tests/unit/datepicker/options.js
+++ b/tests/unit/datepicker/options.js
@@ -1171,4 +1171,55 @@ QUnit.test( "Ticket 7602: Stop datepicker from appearing with beforeShow event h
inp.datepicker( "destroy" );
} );
+QUnit.test( "Ticket #15284: escaping text parameters", function( assert ) {
+ assert.expect( 7 );
+
+ var done = assert.async();
+
+ var qf = $( "#qunit-fixture" );
+
+ window.uiGlobalXss = [];
+
+ var inp = testHelper.init( "#inp", {
+ showButtonPanel: true,
+ showOn: "both",
+ prevText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'prevText XSS' ] )</script>",
+ nextText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'nextText XSS' ] )</script>",
+ currentText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'currentText XSS' ] )</script>",
+ closeText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'closeText XSS' ] )</script>",
+ buttonText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'buttonText XSS' ] )</script>",
+ appendText: "<script>uiGlobalXss = uiGlobalXss.concat( [ 'appendText XSS' ] )</script>"
+ } );
+
+ var dp = $( "#ui-datepicker-div" );
+
+ testHelper.onFocus( inp, function() {
+ assert.equal( dp.find( ".ui-datepicker-prev" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'prevText XSS' ] )</script>",
+ "prevText escaped" );
+ assert.equal( dp.find( ".ui-datepicker-next" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'nextText XSS' ] )</script>",
+ "nextText escaped" );
+ assert.equal( dp.find( ".ui-datepicker-current" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'currentText XSS' ] )</script>",
+ "currentText escaped" );
+ assert.equal( dp.find( ".ui-datepicker-close" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'closeText XSS' ] )</script>",
+ "closeText escaped" );
+
+ assert.equal( qf.find( ".ui-datepicker-trigger" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'buttonText XSS' ] )</script>",
+ "buttonText escaped" );
+ assert.equal( qf.find( ".ui-datepicker-append" ).text().trim(),
+ "<script>uiGlobalXss = uiGlobalXss.concat( [ 'appendText XSS' ] )</script>",
+ "appendText escaped" );
+
+ assert.deepEqual( window.uiGlobalXss, [], "No XSS" );
+
+ delete window.uiGlobalXss;
+ inp.datepicker( "hide" ).datepicker( "destroy" );
+ done();
+ } );
+} );
+
} );