3 <script src=
"../../resources/js-test.js"></script>
6 <div id=
"hidden" style=
"visibility: hidden">
7 <script id=
"script">/*
"'&<> "'&<> "'&<> */</script>
8 <style id="style
">/*"'&<> "'&<> "'&<
> */
</style>
9 <textarea id=
"textarea">/*
"'&<> "'&<> "'&<> */</textarea>
10 <xmp id="xmp
">/*"'&<> "'&<> "'&<
> */
</xmp>
13 description("Tests that accessing the innerHTML property of a text node encodes harmful entities which can result in cross site scripting.");
15 var tests
= [ ['innerHTML("script")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
16 ['innerHTML("style")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
17 ['innerHTML("textarea")', '"/*\\"\'&<> \\"\'&<> \\"\'&<> */"'],
18 ['innerHTML("xmp")' , '"/*"'&<> "'&<> \\"\'&<> */"'],
19 ['outerHTML("script")' , '"<script id=\\"script\\">/*"'&<> "'&<> \\"\'&<> */<\/script>"'],
20 ['outerHTML("style")' , '"<style id=\\"style\\">/*"'&<> "'&<> \\"\'&<> */<\/style>"'],
21 ['outerHTML("textarea")', '"<textarea id=\\"textarea\\">/*\\"\'&<> \\"\'&<> \\"\'&<> */<\/textarea>"'],
22 ['outerHTML("xmp")' , '"<xmp id=\\"xmp\\">/*"'&<> "'&<> \\"\'&<> */<\/xmp>"'],
25 function innerHTML(textnode
) {
26 return document
.getElementById(textnode
).innerHTML
;
29 function outerHTML(textnode
) {
30 return document
.getElementById(textnode
).outerHTML
;
33 for (var i
in tests
) {
34 shouldBe(tests
[i
][0], tests
[i
][1]);