diff options
| author | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-04-30 21:25:29 +0200 |
|---|---|---|
| committer | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2020-04-30 21:26:18 +0200 |
| commit | ea2d0d50c06e8d77ea3fdfa32fa0bfe6f91418d2 (patch) | |
| tree | b7351bb9d9e292701b9a51143adeef7a0f58adbd /test/unit | |
| parent | ea3766c08156541617ca3d15755a9ade8fdedcc0 (diff) | |
| download | jquery-ea2d0d50c06e8d77ea3fdfa32fa0bfe6f91418d2.tar.gz jquery-ea2d0d50c06e8d77ea3fdfa32fa0bfe6f91418d2.zip | |
Tests: Workaround failures in recent XSS tests in iOS 8 - 12
iOS 8-12 parses `<noembed>` tags differently, executing this code. This is no
different to native behavior on that OS, though, so just accept it.
Ref gh-4685
Closes gh-4694
(cherry picked from commit 11066a9e6ac183dd710d1bc7aa74a3f809757136)
Diffstat (limited to 'test/unit')
| -rw-r--r-- | test/unit/manipulation.js | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js index 39aa86a3a..22e9ae747 100644 --- a/test/unit/manipulation.js +++ b/test/unit/manipulation.js @@ -2962,7 +2962,8 @@ QUnit.test( "Sanitized HTML doesn't get unsanitized", function( assert ) { var container, counter = 0, - assertCount = 13, + oldIos = /iphone os (?:8|9|10|11|12)_/i.test( navigator.userAgent ), + assertCount = oldIos ? 12 : 13, done = assert.async( assertCount ); assert.expect( assertCount ); @@ -2999,10 +3000,17 @@ QUnit.test( "Sanitized HTML doesn't get unsanitized", function( assert ) { test( "<title><title /><img src=url404 onerror=xss(4)>" ); test( "<iframe><iframe/><img src=url404 onerror=xss(5)>" ); test( "<noframes><noframes/><img src=url404 onerror=xss(6)>" ); - test( "<noembed><noembed/><img src=url404 onerror=xss(7)>" ); - test( "<noscript><noscript/><img src=url404 onerror=xss(8)>" ); - test( "<foo\" alt=\"\" title=\"/><img src=url404 onerror=xss(9)>\">" ); - test( "<img alt=\"<x\" title=\"\" src=\"/><img src=url404 onerror=xss(10)>\">" ); - test( "<noscript/><img src=url404 onerror=xss(11)>" ); - test( "<option><style></option></select><img src=url404 onerror=xss(12)></style>" ); + test( "<noscript><noscript/><img src=url404 onerror=xss(7)>" ); + test( "<foo\" alt=\"\" title=\"/><img src=url404 onerror=xss(8)>\">" ); + test( "<img alt=\"<x\" title=\"\" src=\"/><img src=url404 onerror=xss(9)>\">" ); + test( "<noscript/><img src=url404 onerror=xss(10)>" ); + + test( "<option><style></option></select><img src=url404 onerror=xss(11)></style>" ); + + // Support: iOS 8 - 12 only. + // Old iOS parses `<noembed>` tags differently, executing this code. This is no + // different to native behavior on that OS, though, so just accept it. + if ( !oldIos ) { + test( "<noembed><noembed/><img src=url404 onerror=xss(12)>" ); + } } ); |