Add test for history HTML escaping issue.

BUG=17892 TEST=SessionHistoryTest.HistorySearchXSS Review URL: http://codereview.chromium.org/206040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26392 0039d316-1c4b-4281-b951-d872f2087c98
author: cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-09-16 21:28:41 +0000
committer: cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-09-16 21:28:41 +0000
commit: e4a6c8cc717fc841a71f174af52249dd9a65e736 (patch)
tree: 2111b32057b1f20dbbf11b636950abf9ce45c096 /chrome/browser/session_history_uitest.cc
parent: 20a07e0d7cb92b2651d7d60e676c28f411009cb3 (diff)
download: chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.zip
chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.tar.gz
chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.tar.bz2
1 files changed, 17 insertions, 0 deletions
diff --git a/chrome/browser/session_history_uitest.cc b/chrome/browser/session_history_uitest.cc
index 88e6519..8d76583 100644
--- a/chrome/browser/session_history_uitest.cc
+++ b/chrome/browser/session_history_uitest.cc
@@ -6,6 +6,7 @@
 #include "base/file_path.h"
 #include "base/platform_thread.h"
 #include "base/string_util.h"
+#include "chrome/common/url_constants.h"
 #include "chrome/test/automation/tab_proxy.h"
 #include "chrome/test/automation/browser_proxy.h"
 #include "chrome/test/ui/ui_test.h"
@@ -501,4 +502,20 @@ TEST_F(SessionHistoryTest, DISABLED_LocationReplace) {
   EXPECT_EQ(L"", GetTabTitle());
 }
 
+TEST_F(SessionHistoryTest, HistorySearchXSS) {
+  // about:blank should be loaded first.
+  ASSERT_FALSE(tab_->GoBack());
+  EXPECT_EQ(L"", GetTabTitle());
+
+  GURL url(std::string(chrome::kChromeUIHistoryURL) +
+      "#q=%3Cimg%20src%3Dx%3Ax%20onerror%3D%22document.title%3D'XSS'%22%3E");
+  ASSERT_TRUE(tab_->NavigateToURL(url));
+  // Mainly, this is to ensure we send a synchronous message to the renderer
+  // so that we're not susceptible (less susceptible?) to a race condition.
+  // Should a race condition ever trigger, it won't result in flakiness.
+  int num = tab_->FindInPage(L"<img", FWD, CASE_SENSITIVE, false, NULL);
+  EXPECT_GT(num, 0);
+  EXPECT_EQ(L"History", GetTabTitle());
+}
+
 }  // namespace
author	cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-09-16 21:28:41 +0000
committer	cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-09-16 21:28:41 +0000
commit	e4a6c8cc717fc841a71f174af52249dd9a65e736 (patch)
tree	2111b32057b1f20dbbf11b636950abf9ce45c096 /chrome/browser/session_history_uitest.cc
parent	20a07e0d7cb92b2651d7d60e676c28f411009cb3 (diff)
download	chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.zip chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.tar.gz chromium_src-e4a6c8cc717fc841a71f174af52249dd9a65e736.tar.bz2