From 4cc4018073e4a14a831f03d55a835883def2ce41 Mon Sep 17 00:00:00 2001 From: Peter Bengtsson Date: Fri, 12 Mar 2021 10:43:02 -0500 Subject: [PATCH 1/2] skip empty srcs for safe iframe srcs Fixes #3215 --- build/flaws.js | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/build/flaws.js b/build/flaws.js index f3ce302e7692..f99e686989bf 100644 --- a/build/flaws.js +++ b/build/flaws.js @@ -61,9 +61,15 @@ function injectFlaws(doc, $, options, document) { doc.flaws[flawName] && doc.flaws[flawName].length > 0 ) { - throw new Error( - `${flawName} flaws: ${doc.flaws[flawName].map((f) => f.explanation)}` - ); + // To make the stdout output a bit more user-friendly, print one warning + // for each explanation + doc.flaws[flawName].forEach((flaw, i) => { + console.warn( + i + 1, + chalk.yellow(`${chalk.bold(flawName)} flaw: ${flaw.explanation}`) + ); + }); + throw new Error(`${doc.flaws[flawName].length} ${flawName} flaws`); } } } @@ -103,8 +109,6 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) { } const safeIFrameSrcs = [ - LIVE_SAMPLES_BASE_URL.toLowerCase(), - INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase(), // EmbedGHLiveSample.ejs "https://mdn.github.io", // EmbedYouTube.ejs @@ -114,12 +118,22 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) { // EmbedTest262ReportResultsTable.ejs "https://test262.report", ]; + if (LIVE_SAMPLES_BASE_URL) { + safeIFrameSrcs.push(LIVE_SAMPLES_BASE_URL.toLowerCase()); + } + if (INTERACTIVE_EXAMPLES_BASE_URL) { + safeIFrameSrcs.push(INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase()); + } $("script, embed, object, iframe").each((i, element) => { const { tagName } = element; if (tagName === "iframe") { // For iframes we only check the 'src' value const src = $(element).attr("src"); + if (src.startsWith("/") && !src.includes("://")) { + // Local URLs are always safe + return; + } if (!safeIFrameSrcs.find((s) => src.toLowerCase().startsWith(s))) { addFlaw(element, `Unsafe + +

Here's a link that contains the string :JavaScript within the href attribute:
diff --git a/testing/tests/index.test.js b/testing/tests/index.test.js index 1ba331ca4dd9..9ee58b5ebc2e 100644 --- a/testing/tests/index.test.js +++ b/testing/tests/index.test.js @@ -1292,10 +1292,10 @@ test("unsafe HTML gets flagged as flaws and replace with its raw HTML", () => { const jsonFile = path.join(builtFolder, "index.json"); const { doc } = JSON.parse(fs.readFileSync(jsonFile)); - expect(doc.flaws.unsafe_html.length).toBe(5); + expect(doc.flaws.unsafe_html.length).toBe(6); const htmlFile = path.join(builtFolder, "index.html"); const html = fs.readFileSync(htmlFile, "utf-8"); const $ = cheerio.load(html); - expect($("code.unsafe-html").length).toBe(5); + expect($("code.unsafe-html").length).toBe(6); });