1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
<head>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
function print(message, color)
{
var paragraph = document.createElement("div");
paragraph.appendChild(document.createTextNode(message));
paragraph.style.fontFamily = "monospace";
if (color)
paragraph.style.color = color;
document.getElementById("console").appendChild(paragraph);
}
function run(a)
{
print(a);
try {
eval(a);
} catch(e) {
print(e);
}
}
function shouldBe(a, b)
{
var evalA;
try {
evalA = eval(a);
} catch(e) {
evalA = e;
}
if (evalA == b)
print("PASS: " + a + " should be " + b + " and is.", "green");
else
print("FAIL: " + a + " should be " + b + " but instead is " + evalA + ".", "red");
}
</script>
</head>
<body>
Test that innerHTML does not mangle javascript: urls.
<div id=console></div>
<div id=jsurltest><a href='
javascript:test(&37;3C!--D--&37;3E)'>link</a></div>
<script>
var r = document.getElementById('jsurltest');
run("r.innerHTML = r.innerHTML.replace(/&37;3C!--D--&37;3E/g, 123)");
shouldBe("r.innerHTML.indexOf('javascript:test(123)') > -1", true);
run("r.firstChild.setAttribute('href', 'javascript:test(\"text<\")')");
shouldBe("r.innerHTML.indexOf('javascript:test(\"text<\")') > -1", true);
run('r.firstChild.setAttribute("href", "javascript:test(\'text>\')")');
shouldBe('r.innerHTML.indexOf("javascript:test(\'text>\')") > -1', true);
testString = 'javascript:test(\'text&\',"test2&")';
print("testString = " + testString);
run('r.firstChild.setAttribute("href", testString)');
shouldBe('r.innerHTML.indexOf("javascript:test(\'text&\',"test2&")") > 1', true);
run("r.firstChild.setAttribute('href', 'http://www.google.fi/search?q=scarlett johansson&meta=&btnG=Google-haku')");
print(r.innerHTML);
</script>
|
