skip empty srcs for safe iframe srcs (mdn#3216)

* skip empty srcs for safe iframe srcs Fixes mdn#3215 * feedbacked
peterbe · Jun 1, 2021 · 48beead · 48beead
1 parent 9fd38f4
commit 48beead
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/build/flaws.js b/build/flaws.js
@@ -61,9 +61,15 @@ function injectFlaws(doc, $, options, document) {
       doc.flaws[flawName] &&
       doc.flaws[flawName].length > 0
     ) {
-      throw new Error(
-        `${flawName} flaws: ${doc.flaws[flawName].map((f) => f.explanation)}`
-      );
+      // To make the stdout output a bit more user-friendly, print one warning
+      // for each explanation
+      doc.flaws[flawName].forEach((flaw, i) => {
+        console.warn(
+          i + 1,
+          chalk.yellow(`${chalk.bold(flawName)} flaw: ${flaw.explanation}`)
+        );
+      });
+      throw new Error(`${doc.flaws[flawName].length} ${flawName} flaws`);
     }
   }
 }
@@ -103,8 +109,6 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
   }
 
   const safeIFrameSrcs = [
-    LIVE_SAMPLES_BASE_URL.toLowerCase(),
-    INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase(),
     // EmbedGHLiveSample.ejs
     "https://mdn.github.io",
     // EmbedYouTube.ejs
@@ -114,12 +118,22 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
     // EmbedTest262ReportResultsTable.ejs
     "https://test262.report",
   ];
+  if (LIVE_SAMPLES_BASE_URL) {
+    safeIFrameSrcs.push(LIVE_SAMPLES_BASE_URL.toLowerCase());
+  }
+  if (INTERACTIVE_EXAMPLES_BASE_URL) {
+    safeIFrameSrcs.push(INTERACTIVE_EXAMPLES_BASE_URL.toLowerCase());
+  }
 
   $("script, embed, object, iframe").each((i, element) => {
     const { tagName } = element;
     if (tagName === "iframe") {
       // For iframes we only check the 'src' value
       const src = $(element).attr("src");
+      // Local URLs are always safe.
+      if (!(src.startsWith("//") || src.includes("://"))) {
+        return;
+      }
       if (!safeIFrameSrcs.find((s) => src.toLowerCase().startsWith(s))) {
         addFlaw(element, `Unsafe <iframe> 'src' value (${src})`);
       }

diff --git a/testing/content/files/en-us/web/unsafe_html/index.html b/testing/content/files/en-us/web/unsafe_html/index.html
@@ -20,6 +20,8 @@
 
 <iframe src="https://www.peterbe.com/"></iframe>
 
+<iframe src="//evil.com/"></iframe>
+
 <p>Here's a link that contains the string <code>:JavaScript</code> within the <code>href</code>
 attribute:<br>
   <a href="https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey">

diff --git a/testing/tests/index.test.js b/testing/tests/index.test.js
@@ -1292,10 +1292,10 @@ test("unsafe HTML gets flagged as flaws and replace with its raw HTML", () => {
 
   const jsonFile = path.join(builtFolder, "index.json");
   const { doc } = JSON.parse(fs.readFileSync(jsonFile));
-  expect(doc.flaws.unsafe_html.length).toBe(5);
+  expect(doc.flaws.unsafe_html.length).toBe(6);
 
   const htmlFile = path.join(builtFolder, "index.html");
   const html = fs.readFileSync(htmlFile, "utf-8");
   const $ = cheerio.load(html);
-  expect($("code.unsafe-html").length).toBe(5);
+  expect($("code.unsafe-html").length).toBe(6);
 });