UNPKG

dojox

Version:

Dojo eXtensions, a rollup of many useful sub-projects and varying states of maturity – from very stable and robust, to alpha and experimental. See individual projects contain README files for details.

dojotoolkit.org

dojo/dojox

119 lines (111 loc) 3.18 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
dojo.provide("dojox.secure.tests.sandbox"); doh.register("dojox.secure.tests.sandbox.good", [ function setup(){ var div = document.createElement("div"); document.body.appendChild(div); div.innerHTML = "Sandboxed div:"; div.style.position = "absolute"; div.style.top = "100px"; div.style.left = "100px"; div.style.backgroundColor = "red"; div.style.color = "white"; container = document.createElement("div"); container.style.backgroundColor = "cyan"; container.style.color = "black"; div.appendChild(container); }, function innerHTML(t){ dojox.secure.evaluate("element.innerHTML = 'Hi there';",container); t.assertEqual("Hi there",container.innerHTML); }, function docWrite(t){ dojox.secure.evaluate("document.write(\"<div style='color:red'>written</div>\");",container); t.t(container.innerHTML.match(/written/)); } ]); function violater(func) { return {name: func.name, runTest: function(t) { var insecure; try { func(t); insecure = true; }catch(e){ console.log("successfully threw error",e); } t.f(insecure); }}; } doh.register("dojox.secure.tests.sandbox.bad", [ function parentNode(t){ t.f(dojox.secure.evaluate("document.body",container)); }, function innerHTMLScript(t){ try { dojox.secure.evaluate("bad = true",container); }catch(e){} t.t(typeof bad == 'undefined'); } /*function innerHTMLScript2(t){ try{ securedElement.innerHTML = '</script><script>bad=true;//'; }catch(e){} t.t(typeof bad == 'undefined'); }, function writeScript(t){ try{ securedDoc.write("<script>bad=true;</script>"); }catch(e){} t.t(typeof bad == 'undefined'); }, function appendScript(t){ try { var script = securedDoc.createElement('script'); script.appendChild(securedDoc.createTextNode( 'bad=true')); securedElement.appendChild(script); } catch(e) { } t.t(typeof bad == 'undefined'); }, function cssExpression(t) { if (dojo.isIE) { securedElement.innerHTML = '<div id="oDiv" style="left:expression((bad=true), 0)">Example DIV</div>'; t.t(typeof bad == 'undefined'); } else { try{ securedElement.innerHTML = '<input style=\'-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");\'>'; }catch(e){} t.f(securedElement.innerHTML.match(/mozilla/)) } }, function cssExpression2(t) { if (dojo.isIE) { securedElement.style.left = 'expression(alert("hello"), 0)'; t.f(securedElement.style.left.match(/alert/)); } else { try { securedElement.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")'; }catch(e){} } }, function cssExpression3(t) { if (dojo.isIE) { securedElement.style.behavior = 'url(a1.htc)'; t.f(securedElement.style.behavior); } else { } }, violater(function addStyleTag(t) { securedElement.innerHTML = "<style>div {color:expression(alert(\"hello\")}</style><div>test</div>"; }), violater(function addStyleTag2(t) { securedElement.innerHTML = "<style>@import 'unsafe.css'</style><div>unsafe css</div>"; })*/ ]);