UNPKG

plupload

Version:

Plupload is a JavaScript API for dealing with file uploads it supports features like multiple file selection, file type filtering, request chunking, client side image scaling and it uses different runtimes to achieve this such as HTML 5, Silverlight and F

plupload.com

moxiecode/plupload

81 lines (63 loc) 2.02 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>Flash: Runtime</title> <script src="../../../loader.js"></script> <script type="text/javascript"> QUnit.config.reorder = false; QUnit.config.testTimeout = 10000; module("Flash: Runtime"); function resolveRelative(path, base) { if (!base) { base = window.location.href.replace(/[\?\/]?[^\?\/]*$/, ''); } // Upper directory if (/^\.\.\//.test(path)) { return resolveRelative(path.slice(3), base.replace(/\/[^\/]*$/, '')); } // Relative to the root if (/^\//.test(path)) { var match = base.match(/(\w*:\/\/)?[^\/]*\//) || [base]; return match[0] + path.slice(1); } //relative to the current directory return base.replace(/\/[^\/]*$/, "") + '/' + path; } test("swf ignores query string", function(assert) { var vulnerable = false; var url = resolveRelative('../../../../bin/flash/Moxie.swf?uid=0&target=window.opener.flashCallback'); var popup = window.open(url, '_blank'); setTimeout(function() { popup.close(); ok(!vulnerable, "swf ignores query string parameters, when loaded directly (rather than embedded)."); start(); }, 500); stop(); window.flashCallback = function() { vulnerable = true; }; }); test('swf ignores query string with "url-encoded" crap', function(assert) { var vulnerable = false; var url = resolveRelative('../../../../bin/flash/Moxie.swf?%guid=0&%gtarget=window.opener.flashCallback'); var popup = window.open(url, '_blank'); setTimeout(function() { popup.close(); ok(!vulnerable, "swf ignores query string parameters (even when when they are sneaked in via pseudo url-encoded gibberish), when loaded directly (rather than embedded)."); start(); }, 500); stop(); window.flashCallback = function() { vulnerable = true; }; }); </script> </head> <body> <div id="qunit"></div> <div id="qunit-fixture" style="position: relative; top: 0 !important; left: 0 !important; width: 100%; height: 9px;"></div> </body> </html>