1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
</head>
<body>
<script>
const element = document.createElement("div");
[
"onclick",
"onchange",
"onfocus",
"oNclick",
"OnClIcK"
].forEach(name => {
test(t => {
assert_throws_js(TypeError,
_ => element.setAttribute(name, "2+2"));
}, `Event handler ${name} should be blocked.`);
});
[
"one",
"oNe",
"onIcon",
"offIcon",
"blubb"
].forEach(name => {
test(t => {
element.setAttribute(name, "2+2");
}, `Non-event handler ${name} should not be blocked.`);
});
// We'd like to be sure we're not missing anything. Let's "query" an HTML
// element about which attributes it knows.
const div = document.createElement("div");
for(name in div.__proto__) {
// This captures all "on{foo}" handlers, but not "on" itself, which is an IDL
// attribute that returns an Observable.
const should_be_event_handler = name.startsWith("on") && name !== "on";
if (should_be_event_handler) {
test(t => {
assert_throws_js(TypeError,
_ => element.setAttribute(name, "2+2"));
}, `Event handler div.${name} should be blocked.`);
} else {
test(t => {
element.setAttribute(name, "2+2");
}, `Non-event handler div.${name} should not be blocked.`);
}
}
</script>
</body>
|
