diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js new file mode 100644 index 0000000000000..21a4cc1b6dc87 --- /dev/null +++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js @@ -0,0 +1,271 @@ +/** + * Copyright (c) Facebook, Inc. and its affiliates. + * + * This source code is licensed under the MIT license found in the + * LICENSE file in the root directory of this source tree. + * + * @emails react-core + */ + +/* eslint-disable no-script-url */ + +'use strict'; + +const ReactDOMServerIntegrationUtils = require('./utils/ReactDOMServerIntegrationTestUtils'); + +let React; +let ReactDOM; +let ReactDOMServer; + +function runTests(itRenders, itRejectsRendering, expectToReject) { + itRenders('a http link with the word javascript in it', async render => { + const e = await render( + Click me, + ); + expect(e.tagName).toBe('A'); + expect(e.href).toBe('http://javascript:0/thisisfine'); + }); + + itRejectsRendering('a javascript protocol href', async render => { + // Only the first one warns. The second warning is deduped. + const e = await render( +
+ p0wned + p0wned again +
, + 1, + ); + expect(e.firstChild.href).toBe('javascript:notfine'); + expect(e.lastChild.href).toBe('javascript:notfineagain'); + }); + + itRejectsRendering( + 'a javascript protocol with leading spaces', + async render => { + const e = await render( + p0wned, + 1, + ); + // We use an approximate comparison here because JSDOM might not parse + // \u0000 in HTML properly. + expect(e.href).toContain('notfine'); + }, + ); + + itRejectsRendering( + 'a javascript protocol with intermediate new lines and mixed casing', + async render => { + const e = await render( + p0wned, + 1, + ); + expect(e.href).toBe('javascript:notfine'); + }, + ); + + itRejectsRendering('a javascript protocol area href', async render => { + const e = await render( + + + , + 1, + ); + expect(e.firstChild.href).toBe('javascript:notfine'); + }); + + itRejectsRendering('a javascript protocol form action', async render => { + const e = await render(
p0wned
, 1); + expect(e.action).toBe('javascript:notfine'); + }); + + itRejectsRendering( + 'a javascript protocol button formAction', + async render => { + const e = await render(, 1); + expect(e.getAttribute('formAction')).toBe('javascript:notfine'); + }, + ); + + itRejectsRendering('a javascript protocol input formAction', async render => { + const e = await render( + , + 1, + ); + expect(e.getAttribute('formAction')).toBe('javascript:notfine'); + }); + + itRejectsRendering('a javascript protocol iframe src', async render => { + const e = await render(