third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="./resources/helper.js"></script>
 <body>
 <script>
   // We're injecting markup via `srcdoc` so, confusingly, we need to
   // entity-escape the "raw" content, and double-escape the "escaped"
   // content.
   var rawBrace = "&lt;";
   var escapedBrace = "&amp;lt;";
   var rawNewline = "&#10;";
   var escapedNewline = "&amp;#10;";

   var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAAACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CYII=";
   var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");

   var should_block = [
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=1${rawNewline}b">`,
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=2${rawNewline}b${rawBrace}c">`,
     `
       <img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=3
         b${rawBrace}c
       ">
     `,
     `<img id="dangling" src="${abeSizedPngWithNewline}">`,
   ];

   should_block.forEach(markup => {
     async_test(t => {
       var i = createFrame(`${markup}`);
       assert_img_not_loaded(t, i);
     }, markup.replace(/[\n\r]/g, ''));
   });

   var should_load = [
     // Brace alone doesn't block:
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&img=${rawBrace}b">`,

     // Entity-escaped characters don't trigger blocking:
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&data=${escapedNewline}b">`,
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&img=${escapedBrace}b">`,
     `<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&img=${escapedNewline}b${escapedBrace}c">`,

     // Leading and trailing whitespace is stripped:
     `
       <img id="dangling" src="
         http://127.0.0.1:8000/security/resources/abe.png?8
       ">
       <input type=hidden name=csrf value=sekrit>
     `,
     `
       <img id="dangling" src="
       http://127.0.0.1:8000/security/resources/abe.png?9&img=${escapedBrace}
       ">
       <input type=hidden name=csrf value=sekrit>
     `,
     `
       <img id="dangling" src="
       http://127.0.0.1:8000/security/resources/abe.png?10&img=${escapedNewline}
       ">
       <input type=hidden name=csrf value=sekrit>
     `,
   ];

   should_load.forEach(markup => {
     async_test(t => {
       var i = createFrame(`${markup} <element attr="" another=''>`);
       assert_img_loaded(t, i);
     }, markup.replace(/[\n\r]/g, ''));
   });
 </script>
	<!DOCTYPE html>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="./resources/helper.js"></script>
	<body>
	<script>
	// We're injecting markup via `srcdoc` so, confusingly, we need to
	// entity-escape the "raw" content, and double-escape the "escaped"
	// content.
	var rawBrace = "<";
	var escapedBrace = "&lt;";
	var rawNewline = " ";
	var escapedNewline = "&#10;";

	var abeSizedPng = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEwAAABnAQMAAACQMjadAAAAA1BMVEX///+nxBvIAAAAEUlEQVQ4y2MYBaNgFIwCegAABG0AAd5G4RkAAAAASUVORK5CYII=";
	var abeSizedPngWithNewline = abeSizedPng.replace("i", "i\n");

	var should_block = [
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?data=1${rawNewline}b">`,
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=2${rawNewline}b${rawBrace}c">`,
	`
	<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?img=3
	b${rawBrace}c
	">
	`,
	`<img id="dangling" src="${abeSizedPngWithNewline}">`,
	];

	should_block.forEach(markup => {
	async_test(t => {
	var i = createFrame(`${markup}`);
	assert_img_not_loaded(t, i);
	}, markup.replace(/[\n\r]/g, ''));
	});

	var should_load = [
	// Brace alone doesn't block:
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?4&img=${rawBrace}b">`,

	// Entity-escaped characters don't trigger blocking:
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?5&data=${escapedNewline}b">`,
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?6&img=${escapedBrace}b">`,
	`<img id="dangling" src="http://127.0.0.1:8000/security/resources/abe.png?7&img=${escapedNewline}b${escapedBrace}c">`,

	// Leading and trailing whitespace is stripped:
	`
	<img id="dangling" src="
	http://127.0.0.1:8000/security/resources/abe.png?8
	">
	<input type=hidden name=csrf value=sekrit>
	`,
	`
	<img id="dangling" src="
	http://127.0.0.1:8000/security/resources/abe.png?9&img=${escapedBrace}
	">
	<input type=hidden name=csrf value=sekrit>
	`,
	`
	<img id="dangling" src="
	http://127.0.0.1:8000/security/resources/abe.png?10&img=${escapedNewline}
	">
	<input type=hidden name=csrf value=sekrit>
	`,
	];

	should_load.forEach(markup => {
	async_test(t => {
	var i = createFrame(`${markup} <element attr="" another=''>`);
	assert_img_loaded(t, i);
	}, markup.replace(/[\n\r]/g, ''));
	});
	</script>