-
Notifications
You must be signed in to change notification settings - Fork 5
/
one-late-attr-binding-test.js
63 lines (55 loc) · 1.86 KB
/
one-late-attr-binding-test.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
/**
* @license
* Copyright (c) 2017 The Polymer Project Authors. All rights reserved.
* This code may only be used under the BSD style license found at
* http://polymer.github.io/LICENSE.txt
* The complete set of authors may be found at
* http://polymer.github.io/AUTHORS.txt
* The complete set of contributors may be found at
* http://polymer.github.io/CONTRIBUTORS.txt
* Code distributed by Google as part of the polymer project is also
* subject to an additional IP rights grant found at
* http://polymer.github.io/PATENTS.txt
*/
goog.provide('security.polymer_resin.one_late_attr_binding');
goog.require('goog.html.SafeUrl');
goog.require('goog.string.Const');
suite(
'OneLateAttrBinding',
function () {
var oneLateAttrFixture;
setup(function () {
oneLateAttrFixture = fixture('one-late-attr-binding-fixture');
});
test('innocuous_string', function(done) {
oneLateAttrFixture.items = ['http://example.com/foo'];
flush(
function () {
var link = oneLateAttrFixture.$$('a');
assert.equal('http://example.com/foo', link.href);
done();
});
});
test('safe_url', function(done) {
oneLateAttrFixture.items = [
goog.html.SafeUrl.fromConstant(
goog.string.Const.from('javascript:safe()'))
];
flush(
function () {
var link = oneLateAttrFixture.$$('a');
assert.equal('javascript:safe()', link.href);
done();
});
});
test('evil_payload', function(done) {
oneLateAttrFixture.items = ['javascript:evil()'];
flush(function () {
var link = oneLateAttrFixture.$$('a');
assert.equal(
goog.html.SafeUrl.INNOCUOUS_STRING,
link.href);
done();
});
});
});