diff options
| author | Johann-S <[email protected]> | 2018-09-12 10:08:39 +0200 |
|---|---|---|
| committer | Johann-S <[email protected]> | 2018-09-13 22:13:36 +0200 |
| commit | a689120fd2af44bfb317f899b42037c46bfcd2fe (patch) | |
| tree | d7eb34da370314588d296221a3683e6156046d80 /js/tests/unit/modal.js | |
| parent | 9efed8252249065b7903731d3a2b578df89d2ce0 (diff) | |
| download | bootstrap-a689120fd2af44bfb317f899b42037c46bfcd2fe.tar.xz bootstrap-a689120fd2af44bfb317f899b42037c46bfcd2fe.zip | |
throw error when folks try to use a bad selector
Diffstat (limited to 'js/tests/unit/modal.js')
| -rw-r--r-- | js/tests/unit/modal.js | 46 |
1 files changed, 25 insertions, 21 deletions
diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js index 53a2e0416..914366ae2 100644 --- a/js/tests/unit/modal.js +++ b/js/tests/unit/modal.js @@ -607,36 +607,40 @@ $(function () { assert.expect(1) var done = assert.async() - var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>') - .appendTo('#qunit-fixture') + try { + var $toggleBtn = $('<button data-toggle="modal" data-target="<div id="modal-test"><div class="contents"<div<div id="close" data-dismiss="modal"/></div></div>"/>') + .appendTo('#qunit-fixture') - $toggleBtn.trigger('click') - setTimeout(function () { + $toggleBtn.trigger('click') + } catch (e) { assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document') done() - }, 1) + } }) QUnit.test('should not execute js from target', function (assert) { assert.expect(0) var done = assert.async() - // This toggle button contains XSS payload in its data-target - // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here - // a script element works in manual tests though, so here it is likely blocked by the qunit framework - var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>') - .appendTo('#qunit-fixture') - // The XSS payload above does not have a closure over this function and cannot access the assert object directly - // However, it can send a click event to the following control button, which will then fail the assert - $('<button>') - .addClass('control') - .on('click', function () { - assert.notOk(true, 'XSS payload is not executed as js') - }) - .appendTo('#qunit-fixture') - - $toggleBtn.trigger('click') - setTimeout(done, 500) + try { + // This toggle button contains XSS payload in its data-target + // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here + // a script element works in manual tests though, so here it is likely blocked by the qunit framework + var $toggleBtn = $('<button data-toggle="modal" data-target="<div><image src="missing.png" onerror="$('#qunit-fixture button.control').trigger('click')"></div>"/>') + .appendTo('#qunit-fixture') + // The XSS payload above does not have a closure over this function and cannot access the assert object directly + // However, it can send a click event to the following control button, which will then fail the assert + $('<button>') + .addClass('control') + .on('click', function () { + assert.notOk(true, 'XSS payload is not executed as js') + }) + .appendTo('#qunit-fixture') + + $toggleBtn.trigger('click') + } catch (e) { + done() + } }) QUnit.test('should not try to open a modal which is already visible', function (assert) { |