selectize
Version:
Selectize is a jQuery-based custom <select> UI control. Useful for tagging, contact lists, country selectors, etc.
61 lines (53 loc) • 1.77 kB
JavaScript
(function() {
window.setup_xss_test = function(html, options, done) {
window.xss = function() {
window.clearTimeout(timeout);
complete(new Error('Exploit executed'));
};
var test = setup_test(html, options);
var complete = function(err) {
window.xss = function() {};
done(err);
};
var timeout = window.setTimeout(complete, 75);
return test;
};
describe('XSS', function() {
describe('Raw HTML in original input value', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="<img src="x" onerror="xss()">">', {}, done);
});
});
describe('Raw HTML in optgroup label', function() {
it('should not trigger exploit', function(done) {
var test = setup_xss_test('<select><optgroup label="<img src="x" onerror="xss()">"><option>Test</option></optgroup></select>', {}, done);
test.selectize.refreshOptions();
test.selectize.open();
});
});
describe('Raw HTML in option label should not trigger exploit', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="">', {
options: [
{value: '1', label: '<img src="x" onerror="xss()">'}
],
items: ['1'],
labelField: 'label',
valueField: 'value'
}, done);
});
});
describe('Raw HTML in option value should not trigger exploit', function() {
it('should not trigger exploit', function(done) {
setup_xss_test('<input type="text" value="">', {
options: [
{value: '<img src="x" onerror="xss()">', label: '1'}
],
items: ['<img src="x" onerror="xss()">'],
labelField: 'label',
valueField: 'value'
}, done);
});
});
});
})();