mirrors/bootstrap
2
0
Fork 0
mirror of https://github.com/tenrok/bootstrap.git synced 2026-06-02 16:04:07 +03:00
Code Activity

Add sanitize for tooltips and popovers html content.

Browse Source 
On browsers that `createHTMLDocument` isn't available just return the unsafe HTML.
This commit is contained in:
Johann-S
2019-02-12 17:24:35 +02:00
committed by XhmikosR
parent d4129dff60
commit 2c8abb9a43
4 changed files with 361 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
js/tests/unit/popover.js
+1 -1
View File
@@ -190,7 +190,7 @@ $(function () {
.bootstrapPopover({
title: 'Test',
content: 'Test',
template: '<div class="popover foobar"><div class="arrow"></div><div class="inner"><h3 class="title"/><div class="content"><p/></div></div></div>'
template: '<div class="popover foobar"><div class="arrow"></div><div class="inner"><h3 class="title"></h3><div class="content"><p></p></div></div></div>'
})
.one('shown.bs.popover', function () {
assert.notEqual($('.popover').length, 0, 'popover was inserted')
js/tests/unit/tooltip.js
+180
View File
@@ -1526,4 +1526,184 @@ $(function () {
}
})
})
QUnit.test('should disable sanitizer', function (assert) {
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
sanitize: false
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.sanitize, false)
})
QUnit.test('should sanitize template by removing disallowed tags', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<div>',
' <script>console.log("oups script inserted")</script>',
' <span>Some content</span>',
'</div>'
].join('')
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.template.indexOf('script'), -1)
})
QUnit.test('should sanitize template by removing disallowed attributes', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<div>',
' <img src="x" onError="alert(\'test\')">Some content</img>',
'</div>'
].join('')
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.template.indexOf('onError'), -1)
})
QUnit.test('should sanitize template by removing tags with XSS', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<div>',
' <a href="javascript:alert(7)">Click me</a>',
' <span>Some content</span>',
'</div>'
].join('')
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.template.indexOf('javascript'), -1)
})
QUnit.test('should allow custom sanitization rules', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(2)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<a href="javascript:alert(7)">Click me</a>',
'<span>Some content</span>'
].join(''),
whiteList: {
span: null
}
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.template.indexOf('<a'), -1)
assert.ok(tooltip.options.template.indexOf('span') !== -1)
})
QUnit.test('should allow passing a custom function for sanitization', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<span>Some content</span>'
].join(''),
sanitizeFn: function (input) {
return input
}
})
var tooltip = $trigger.data('bs.tooltip')
assert.ok(tooltip.options.template.indexOf('span') !== -1)
})
QUnit.test('should allow passing aria attributes', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<span aria-pressed="true">Some content</span>'
].join('')
})
var tooltip = $trigger.data('bs.tooltip')
assert.ok(tooltip.options.template.indexOf('aria-pressed') !== -1)
})
QUnit.test('should not take into account sanitize in data attributes', function (assert) {
if (!document.implementation || !document.implementation.createHTMLDocument) {
assert.expect(0)
return
}
assert.expect(1)
var $trigger = $('<a href="#" rel="tooltip" data-sanitize="false" data-trigger="click" title="Another tooltip"/>')
.appendTo('#qunit-fixture')
.bootstrapTooltip({
template: [
'<span aria-pressed="true">Some content</span>'
].join('')
})
var tooltip = $trigger.data('bs.tooltip')
assert.strictEqual(tooltip.options.sanitize, true)
})
})