diff options
| -rw-r--r-- | chrome/browser/session_history_uitest.cc | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/chrome/browser/session_history_uitest.cc b/chrome/browser/session_history_uitest.cc index 88e6519..8d76583 100644 --- a/chrome/browser/session_history_uitest.cc +++ b/chrome/browser/session_history_uitest.cc @@ -6,6 +6,7 @@ #include "base/file_path.h" #include "base/platform_thread.h" #include "base/string_util.h" +#include "chrome/common/url_constants.h" #include "chrome/test/automation/tab_proxy.h" #include "chrome/test/automation/browser_proxy.h" #include "chrome/test/ui/ui_test.h" @@ -501,4 +502,20 @@ TEST_F(SessionHistoryTest, DISABLED_LocationReplace) { EXPECT_EQ(L"", GetTabTitle()); } +TEST_F(SessionHistoryTest, HistorySearchXSS) { + // about:blank should be loaded first. + ASSERT_FALSE(tab_->GoBack()); + EXPECT_EQ(L"", GetTabTitle()); + + GURL url(std::string(chrome::kChromeUIHistoryURL) + + "#q=%3Cimg%20src%3Dx%3Ax%20onerror%3D%22document.title%3D'XSS'%22%3E"); + ASSERT_TRUE(tab_->NavigateToURL(url)); + // Mainly, this is to ensure we send a synchronous message to the renderer + // so that we're not susceptible (less susceptible?) to a race condition. + // Should a race condition ever trigger, it won't result in flakiness. + int num = tab_->FindInPage(L"<img", FWD, CASE_SENSITIVE, false, NULL); + EXPECT_GT(num, 0); + EXPECT_EQ(L"History", GetTabTitle()); +} + } // namespace |