From 2f35cf53661939388be02ff96323bdc1d8f0833e Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Mon, 26 Sep 2016 17:47:06 -0400 Subject: Bug 1284979 - Write test case to find obvious uses of inline javascript in the templates r=dkl --- t/016csp.t | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 t/016csp.t diff --git a/t/016csp.t b/t/016csp.t new file mode 100644 index 000000000..427522e25 --- /dev/null +++ b/t/016csp.t @@ -0,0 +1,123 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This Source Code Form is "Incompatible With Secondary Licenses", as +# defined by the Mozilla Public License, v. 2.0. + +################# +#Bugzilla Test 4# +####Templates#### + +use 5.14.0; +use strict; +use warnings; + +use lib qw(. lib local/lib/perl5 t); + +use Test::More; +use File::Find; +use Support::Templates; +use List::MoreUtils qw(any); +use Text::Balanced qw(gen_extract_tagged extract_multiple); + +unless ( $ENV{CSP_TESTING} ) { + plan( skip_all => "CSP tests not yet default" ); + exit; +} + +my @event_attrs = qw( + onabort onafterprint onbeforeprint onbeforeunload onblur oncanplay oncanplaythrough onchange onclick oncontextmenu + oncopy oncuechange oncut ondblclick ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop + ondurationchange onemptied onended onerror onfocus onhashchange oninput oninvalid onkeydown onkeypress onkeyup onload + onloadeddata onloadedmetadata onloadstart onmessage onmousedown onmousemove onmouseout onmouseover onmouseup + onmousewheel onoffline ononline onpagehide onpageshow onpaste onpause onplay onplaying onpopstate onprogress + onratechange onreset onresize onscroll onsearch onseeked onseeking onselect onshow onstalled onstorage onsubmit + onsuspend ontimeupdate ontoggle onunload onvolumechange onwaiting onwheel +); + +my %score; +sub wanted { + my $name = $File::Find::name; + + return unless /\.html\.tmpl$/; + return unless -f $name; + open my $fh, '<', $name or return; + my $data = do { local $/ = undef; scalar <$fh> }; + close $fh; + + my $tt_parser = gen_extract_tagged( "\\[%", "%\\]", undef, { bad => ["\\[%"] } ); + my @tt_matches = extract_multiple($data, [ $tt_parser ]); + + my $found_tt_javascript = 0; + my $found_tt_onload = 0; + my $found_script_content = 0; + my @found_event_attr; + foreach my $match (@tt_matches) { + if ($match =~ /^\[%/) { + if ($match =~ /javascript\s+=\s+/) { + $found_tt_javascript = 1; + $score{$name}++; + } + elsif ($match =~ /onload\s*=/) { + $found_tt_onload = 1; + $score{$name}++; + } + } + else { + foreach my $event_attr (@event_attrs) { + if ($match =~ /\Q$event_attr\E\s*=\s*['"]/s) { + push @found_event_attr, $event_attr; + $score{$name}++; + } + } + my $tag_parser = gen_extract_tagged(); + while (my @tag = $tag_parser->($match)) { + last unless defined $tag[0]; + + if ($tag[3] && $tag[3] =~ /