From bcad4bcb5f5a9ef079b2883a48a698b35261e083 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Fri, 25 Aug 2017 21:54:49 +0200
Subject: Fix XSS in data-target

---
 js/tests/visual/modal.html | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'js/tests')

diff --git a/js/tests/visual/modal.html b/js/tests/visual/modal.html
index c9a950b8c..da9bbf93a 100644
--- a/js/tests/visual/modal.html
+++ b/js/tests/visual/modal.html
@@ -167,6 +167,10 @@
       <div class="bg-dark text-white p-2" id="tall" style="display: none;">
         Tall body content to force the page to have a scrollbar.
       </div>
+
+      <button type="button" class="btn btn-secondary btn-lg" data-toggle="modal" data-target="&#x3C;div class=&#x22;modal fade the-bad&#x22; tabindex=&#x22;-1&#x22; role=&#x22;dialog&#x22;&#x3E;&#x3C;div class=&#x22;modal-dialog&#x22; role=&#x22;document&#x22;&#x3E;&#x3C;div class=&#x22;modal-content&#x22;&#x3E;&#x3C;div class=&#x22;modal-header&#x22;&#x3E;&#x3C;button type=&#x22;button&#x22; class=&#x22;close&#x22; data-dismiss=&#x22;modal&#x22; aria-label=&#x22;Close&#x22;&#x3E;&#x3C;span aria-hidden=&#x22;true&#x22;&#x3E;&#x26;times;&#x3C;/span&#x3E;&#x3C;/button&#x3E;&#x3C;h4 class=&#x22;modal-title&#x22;&#x3E;The Bad Modal&#x3C;/h4&#x3E;&#x3C;/div&#x3E;&#x3C;div class=&#x22;modal-body&#x22;&#x3E;This modal&#x27;s HTTML source code is declared inline, inside the data-target attribute of it&#x27;s show-button&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;">
+        Modal with an XSS inside the data-target
+      </button>
     </div>
 
     <script src="../../../assets/js/vendor/jquery-slim.min.js"></script>
-- 
cgit v1.2.3


From 9612830701211d757ff95ceccbb494fd2e7ee17e Mon Sep 17 00:00:00 2001
From: meeque <meeque@users.noreply.github.com>
Date: Fri, 25 Aug 2017 22:53:15 +0200
Subject: Add unit test for xss in data target attribute

---
 js/tests/unit/modal.js | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'js/tests')

diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js
index 3b028dc10..5b265df15 100644
--- a/js/tests/unit/modal.js
+++ b/js/tests/unit/modal.js
@@ -597,4 +597,40 @@ $(function () {
       })
       .trigger('click')
   })
+
+  QUnit.test('should not parse target as html', function (assert) {
+    assert.expect(1)
+    var done = assert.async()
+
+    var $toggleBtn = $('<button data-toggle="modal" data-target="&lt;div id=&quot;modal-test&quot;&gt;&lt;div class=&quot;contents&quot;&lt;div&lt;div id=&quot;close&quot; data-dismiss=&quot;modal&quot;/&gt;&lt;/div&gt;&lt;/div&gt;"/>')
+      .appendTo('#qunit-fixture')
+
+    $toggleBtn.trigger('click')
+    setTimeout(function () {
+      assert.strictEqual($('#modal-test').length, 0, 'target has not been parsed and added to the document')
+      done()
+    }, 1)
+  })
+
+  QUnit.test('should not execute js from target', function (assert) {
+    assert.expect(0)
+    var done = assert.async()
+
+    // This toggle button contains XSS payload in its data-target
+    // Note: it uses the onerror handler of an img element to execute the js, because a simple script element does not work here
+    //       a script element works in manual tests though, so here it is likely blocked by the qunit framework
+    var $toggleBtn = $('<button data-toggle="modal" data-target="&lt;div&gt;&lt;image src=&quot;missing.png&quot; onerror=&quot;$(&apos;#qunit-fixture button.control&apos;).trigger(&apos;click&apos;)&quot;&gt;&lt;/div&gt;"/>')
+      .appendTo('#qunit-fixture')
+    // The XSS payload above does not have a closure over this function and cannot access the assert object directly
+    // However, it can send a click event to the following control button, which will then fail the assert
+    $('<button>')
+      .addClass('control')
+      .on('click', function () {
+        assert.notOk(true, 'XSS payload is not executed as js')
+      })
+      .appendTo('#qunit-fixture')
+
+    $toggleBtn.trigger('click')
+    setTimeout(done, 500)
+  })
 })
-- 
cgit v1.2.3


From 487513ff03b3d63ad3b3fe641dae2a3882d5ded5 Mon Sep 17 00:00:00 2001
From: David Bailey <techdavid@users.noreply.github.com>
Date: Mon, 28 Aug 2017 16:21:04 +0100
Subject: Add failing test

When the body does not overflow (achieved by hiding the QUnit container), it should not be given a margin.
---
 js/tests/unit/modal.js | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'js/tests')

diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js
index 5b265df15..3611dfdf1 100644
--- a/js/tests/unit/modal.js
+++ b/js/tests/unit/modal.js
@@ -391,6 +391,25 @@ $(function () {
       .bootstrapModal('show')
   })
 
+  QUnit.test('should not adjust the inline body padding when it does not overflow', function (assert) {
+    assert.expect(1)
+    var done = assert.async()
+    var $body = $(document.body)
+    var originalPadding = $body.css('padding-right')
+
+    $('#qunit-container').hide()
+    $('<div id="modal-test"/>')
+      .on('shown.bs.modal', function () {
+        var currentPadding = $body.css('padding-right')
+        assert.strictEqual(currentPadding, originalPadding, 'body padding should not be adjusted')
+        $(this).bootstrapModal('hide')
+
+        $('#qunit-container').show()
+        done()
+      })
+      .bootstrapModal('show')
+  })
+
   QUnit.test('should adjust the inline padding of fixed elements when opening and restore when closing', function (assert) {
     assert.expect(2)
     var done = assert.async()
-- 
cgit v1.2.3


From 2622a015f2d38673e3af92a3031ae8b2f2a9ce0f Mon Sep 17 00:00:00 2001
From: David Bailey <techdavid@users.noreply.github.com>
Date: Tue, 29 Aug 2017 12:01:41 +0100
Subject: Fix unit tests in PhantomJS

Use a virtual scrollbar as this is simpler than having a real one (overflow: scroll doesn't seem to work in Phantom), and disable it for the new test.

One test has also been altered to prevent erroneous fails when other inline styles are added to the body (e.g. overflow).
---
 js/tests/unit/modal.js | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'js/tests')

diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js
index 3611dfdf1..735dc4f0c 100644
--- a/js/tests/unit/modal.js
+++ b/js/tests/unit/modal.js
@@ -21,6 +21,8 @@ $(function () {
         document.body.removeChild(scrollDiv)
         return scrollbarWidth
       }
+      // Simulate scrollbars in PhantomJS
+      $('html').css('padding-right', '16px')
     },
     beforeEach: function () {
       // Run all tests in noConflict mode -- it's the only way to ensure that the plugin works in noConflict mode
@@ -397,14 +399,19 @@ $(function () {
     var $body = $(document.body)
     var originalPadding = $body.css('padding-right')
 
-    $('#qunit-container').hide()
+    // Hide scrollbars to prevent the body overflowing
+    $body.css('overflow', 'hidden')        // real scrollbar (for in-browser testing)
+    $('html').css('padding-right', '0px')  // simulated scrollbar (for PhantomJS)
+
     $('<div id="modal-test"/>')
       .on('shown.bs.modal', function () {
         var currentPadding = $body.css('padding-right')
         assert.strictEqual(currentPadding, originalPadding, 'body padding should not be adjusted')
         $(this).bootstrapModal('hide')
 
-        $('#qunit-container').show()
+        // restore scrollbars
+        $body.css('overflow', 'auto')
+        $('html').css('padding-right', '16px')
         done()
       })
       .bootstrapModal('show')
@@ -544,7 +551,7 @@ $(function () {
 
     $('<div id="modal-test"/>')
       .on('hidden.bs.modal', function () {
-        assert.ok(!$body.attr('style'), 'body does not have inline padding set')
+        assert.strictEqual($body.attr('style').indexOf('padding-right'), -1, 'body does not have inline padding set')
         $style.remove()
         done()
       })
-- 
cgit v1.2.3


From ce41d3fd159ce376b55413cef6e88fd658f4fd30 Mon Sep 17 00:00:00 2001
From: David Bailey <techdavid@users.noreply.github.com>
Date: Tue, 29 Aug 2017 15:36:37 +0100
Subject: Add failing test

---
 js/tests/unit/modal.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'js/tests')

diff --git a/js/tests/unit/modal.js b/js/tests/unit/modal.js
index 5b265df15..d22b818d2 100644
--- a/js/tests/unit/modal.js
+++ b/js/tests/unit/modal.js
@@ -349,6 +349,20 @@ $(function () {
     $toggleBtn.trigger('click')
   })
 
+  QUnit.test('should adjust the inline padding of the modal when opening', function (assert) {
+    assert.expect(1)
+    var done = assert.async()
+
+    $('<div id="modal-test"/>')
+      .on('shown.bs.modal', function () {
+        var expectedPadding = $(this).getScrollbarWidth() + 'px'
+        var currentPadding = $(this).css('padding-right')
+        assert.strictEqual(currentPadding, expectedPadding, 'modal padding should be adjusted while opening')
+        done()
+      })
+      .bootstrapModal('show')
+  })
+
   QUnit.test('should adjust the inline body padding when opening and restore when closing', function (assert) {
     assert.expect(2)
     var done = assert.async()
-- 
cgit v1.2.3


From 9936bf59444c402b653f28449529eab83794e911 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Tue, 29 Aug 2017 21:16:00 +0200
Subject: Create a bundled release of Bootstrap with Popper.js inside

---
 js/tests/.eslintrc.json | 1 +
 1 file changed, 1 insertion(+)

(limited to 'js/tests')

diff --git a/js/tests/.eslintrc.json b/js/tests/.eslintrc.json
index a05a3a390..b03980144 100644
--- a/js/tests/.eslintrc.json
+++ b/js/tests/.eslintrc.json
@@ -28,6 +28,7 @@
     "global-require": "off",
     "no-process-env": "off",
     "no-process-exit": "off",
+    "no-sync": "off",
 
     // Stylistic Issues
     "brace-style": "off",
-- 
cgit v1.2.3