[MediaWiki-CVS] SVN: [112107] trunk/extensions/MobileFrontend

Wed, 22 Feb 2012 05:55:56 -0800 

https://www.mediawiki.org/wiki/Special:Code/MediaWiki/112107

Revision: 112107
Author:   jdlrobson
Date:     2012-02-22 13:55:46 +0000 (Wed, 22 Feb 2012)
Log Message:
-----------
add test for highlighting potentially unsafe search input

Modified Paths:
--------------
    trunk/extensions/MobileFrontend/javascripts/beta_opensearch.js
    trunk/extensions/MobileFrontend/tests/js/test_beta_opensearch.js

Modified: trunk/extensions/MobileFrontend/javascripts/beta_opensearch.js
===================================================================
--- trunk/extensions/MobileFrontend/javascripts/beta_opensearch.js      
2012-02-22 13:50:38 UTC (rev 112106)
+++ trunk/extensions/MobileFrontend/javascripts/beta_opensearch.js      
2012-02-22 13:55:46 UTC (rev 112107)
@@ -191,7 +191,10 @@
        }
 
        function htmlEntities( str ) {
-           return String( str ).replace( /&/g, '&amp;' ).replace( /</g, '&lt;' 
).replace( />/g, '&gt;' ).replace( /"/g, '&quot;' ).replace( /'/g, '&#39;' );
+               var text = document.createTextNode(str);
+               var el = document.createElement( 'div' );
+               el.appendChild(text);
+               return el.innerHTML;
        }
 
        function escapeJsString( str ) {

Modified: trunk/extensions/MobileFrontend/tests/js/test_beta_opensearch.js
===================================================================
--- trunk/extensions/MobileFrontend/tests/js/test_beta_opensearch.js    
2012-02-22 13:50:38 UTC (rev 112106)
+++ trunk/extensions/MobileFrontend/tests/js/test_beta_opensearch.js    
2012-02-22 13:55:46 UTC (rev 112107)
@@ -67,3 +67,14 @@
        strictEqual($(pageLink).html(), "Title <strong>with ?</strong> in it", 
"check the highlight is correct");
 });
 
+test("writeResults with highlighted text (safe)", function() {
+       var results = [
+               { label: "<script>alert('FAIL')</script> should be safe", 
value: "/B1" }
+       ];
+       $("#search").val("<script>alert('FAIL'");
+       MFET.triggerEvent($("#search")[0], "keyup");
+       MFEOS.writeResults(results);
+       var pageLink = $("#results .suggestions-result 
a.search-result-item")[0];
+       strictEqual($(pageLink).html(),
+               "<strong>&lt;script&gt;alert('FAIL'</strong>)&lt;/script&gt; 
should be safe", "check the highlight is correct");
+});


_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs

Reply via email to