1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
<!doctype html>
<html>
<head>
<title>Dangling Markup in target</title>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/utils.js"></script>
</head>
<body>
<script>
function anchorClick(target, id) {
const hyperlink = document.body.appendChild(document.createElement('a'));
if (target) {
hyperlink.target = target;
}
hyperlink.href = `resources/window-name.sub.html?report=${id}|close`;
hyperlink.click();
}
async function pollResultAndCheck(t, id, expected) {
const stashURL = new URL('resources/window-name-stash.py', location);
stashURL.searchParams.set('id', id);
let res = 'NONE';
while (res == 'NONE') {
await new Promise(resolve => { t.step_timeout(resolve, 100); });
const response = await fetch(stashURL);
res = await response.text();
}
if (res !== expected) {
assert_unreached('Stash result does not equal expected result.')
}
}
promise_test(async t => {
const id = token();
const value = '\n<' + id;
window.open(`resources/window-name.sub.html?report=${id}|close`, value);
await pollResultAndCheck(t, id, value);
}, 'Dangling Markup in target is not reset when set by window.open');
promise_test(async t => {
const id = token();
const value = '\n<' + id;
anchorClick(value, id)
await pollResultAndCheck(t, id, '');
}, 'Dangling Markup with "\\n" in target is reset when set by <a> tag');
promise_test(async t => {
const id = token();
const value = '\r<' + id;
anchorClick(value, id)
await pollResultAndCheck(t, id, '');
}, 'Dangling Markup with "\\r" in target is reset when set by <a> tag');
promise_test(async t => {
const id = token();
const value = '\t<' + id;
anchorClick(value, id)
await pollResultAndCheck(t, id, '');
}, 'Dangling Markup with "\\t" in target is reset when set by <a> tag');
promise_test(async t => {
const id = token();
const value = '\n<' + id;
const form = document.body.appendChild(document.createElement('form'));
form.target = value;
form.method = 'GET';
form.action = 'resources/window-name.sub.html';
const input = form.appendChild(document.createElement('input'));
input.type = 'hidden';
input.name = 'report';
input.value = `${id}|close`;
form.submit();
await pollResultAndCheck(t, id, '');
}, 'Dangling Markup in target is reset when set by <form> tag');
promise_test(async t => {
const id = token();
const value = '\n<' + id;
const base = document.head.appendChild(document.createElement('base'));
base.target = value;
anchorClick(null, id)
await pollResultAndCheck(t, id, '');
}, 'Dangling Markup in target is reset when set by <base> tag');
</script>
</body>
</html>
|
