Menu

#447 Don't execute JavaScript in <noframes> and <iframe>

closed
Marc Guillemot
None
5
2012-10-21
2007-03-27
kkolman
No

Since htmlunit supports frames, don't execute Javascript contained in <noframes> and <iframe> elements.</p> <p>Actually I think that <noframes>, <iframe> content shouldn't get loaded into the domtree at all. (see the tests 3 and 4 in the attached unit test).</p></noframes>

Discussion

  • kkolman

    kkolman - 2007-03-28

    Logged In: YES
    user_id=1612820
    Originator: YES

    File Added: NoFramesTest.java

     

  • kkolman

    kkolman - 2007-03-28

    Reupload od the test - a stronger one

     
    NoFramesTest.java

  • Ahmed Ashour

    Ahmed Ashour - 2007-04-07

    Logged In: YES
    user_id=950730
    Originator: NO

    I don't think <noframes>, and <iframe> content shouldn't get loaded, otherwise HtmlPage.asXml() will not retrieve them (and that affects what the user expects).</p> <p>Below is a patch (can't be uploaded). However, HtmlInlineFrameTest.testSetSrcAttribute_ViaJavaScript fails and seems to be invalid test, please verify why it is there.</p> <p>Many thanks,<br> Ahmed Ashour</p> <hr> <p>Index: src/java/com/gargoylesoftware/htmlunit/html/HtmlPage.java</p> <p>===================================================================</p> <p>--- src/java/com/gargoylesoftware/htmlunit/html/HtmlPage.java (revision 1363)</p> <p>+++ src/java/com/gargoylesoftware/htmlunit/html/HtmlPage.java (working copy)</p> <p>@@ -87,6 +87,7 @@</p> <ul> <li><a class="user-mention" href="/u/author/profile/">@author</a> <a href="mailto:cse@dynabean.de">Christian Sell</a></li> <li><a class="user-mention" href="/u/author/profile/">@author</a> Chris Erskine</li> <li><a class="user-mention" href="/u/author/profile/">@author</a> Marc Guillemot</li> <li> <ul> <li><a class="user-mention" href="/u/author/profile/">@author</a> Ahmed Ashour<br> */<br> public final class HtmlPage extends DomNode implements Page {</li> </ul> </li> </ul> <p>@@ -1407,7 +1408,16 @@</p> <div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="nt">if</span><span class="w"> </span><span class="o">(</span><span class="nt">elem</span><span class="w"> </span><span class="nt">instanceof</span><span class="w"> </span><span class="nt">HtmlScript</span><span class="o">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="err">final</span><span class="w"> </span><span class="err">HtmlScript</span><span class="w"> </span><span class="err">scriptNode</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="err">(HtmlScript)</span><span class="w"> </span><span class="err">node</span><span class="p">;</span> <span class="w"> </span><span class="err">getLog().debug(&quot;Script</span><span class="w"> </span><span class="err">node</span><span class="w"> </span><span class="n">added</span><span class="p">:</span><span class="w"> </span><span class="err">&quot;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">scriptNode</span><span class="o">.</span><span class="nf">asXml</span><span class="p">());</span> </code></pre></div> <ul> <li>scriptNode.executeScriptIfNeeded();<br> +</li> <li>boolean preventExecution = false;</li> <li>for( DomNode n = node; n != null; n = n.getParentNode() ) {</li> <li>if( n instanceof HtmlInlineFrame || n instanceof HtmlNoFrames ) {</li> <li>preventExecution = true;</li> <li>break;</li> <li>}</li> <li>}</li> <li>if( !preventExecution )</li> <li>scriptNode.executeScriptIfNeeded();<br> } <br> else {<br> final List scripts = elem.getHtmlElementsByTagName("script");<br> Index: src/java/com/gargoylesoftware/htmlunit/html/HtmlScript.java</li> </ul> <p>===================================================================</p> <p>--- src/java/com/gargoylesoftware/htmlunit/html/HtmlScript.java (revision 1363)</p> <p>+++ src/java/com/gargoylesoftware/htmlunit/html/HtmlScript.java (working copy)</p> <p>@@ -53,6 +53,7 @@</p> <ul> <li><a class="user-mention" href="/u/author/profile/">@author</a> <a href="mailto:cse@dynabean.de">Christian Sell</a></li> <li><a class="user-mention" href="/u/author/profile/">@author</a> Marc Guillemot</li> <li><a class="user-mention" href="/u/author/profile/">@author</a> David K. Taylor</li> <li> <ul> <li><a class="user-mention" href="/u/author/profile/">@author</a> Ahmed Ashour</li> </ul> </li> <li><a class="user-mention" href="/u/see/profile/">@see</a> <a href="http://www.w3.org/TR/2000/WD-DOM-Level-1-20000929/level-one-html.html#ID-81598695"></li> <li>DOM Level 1</a></li> <li> <p><a class="user-mention" href="/u/see/profile/">@see</a> <a href="http://www.w3.org/TR/2003/REC-DOM-Level-2-HTML-20030109/html.html#ID-81598695"><br> @@ -166,7 +167,15 @@</p> <p>*/<br> public DomNode appendChild(final DomNode node) {<br> final DomNode response = super.appendChild(node);</p> </li> <li> <p>executeInlineScriptIfNeeded();</p> </li> <li>boolean preventExecution = false;</li> <li>for( DomNode o = node; o != null; o = o.getParentNode() ) {</li> <li>if( o instanceof HtmlInlineFrame || o instanceof HtmlNoFrames) {</li> <li>preventExecution = true;</li> <li>break;</li> <li>}</li> <li>}</li> <li>if( !preventExecution )</li> <li>executeInlineScriptIfNeeded();<br> return response;<br> }</li> </ul> <p>Index: src/test/java/com/gargoylesoftware/htmlunit/html/HtmlFrameSetTest.java</p> <p>===================================================================</p> <p>--- src/test/java/com/gargoylesoftware/htmlunit/html/HtmlFrameSetTest.java (revision 1363)</p> <p>+++ src/test/java/com/gargoylesoftware/htmlunit/html/HtmlFrameSetTest.java (working copy)</p> <p>@@ -291,4 +291,35 @@</p> <div class="codehilite"><pre><span></span><code> assertEquals(URL_FIRST.toString(), lastAdditionalHeaders.get(&quot;Referer&quot;)); } </code></pre></div> <p>-}</p> <ul> <li>public void testScriptUnderNoFrames() throws Exception {</li> <li>final String firstContent</li> <li>= "<html><head><title>first</title></head>"</li> <li> <ul> <li>"<frameset cols='100%'>"</li> </ul> </li> <li> <ul> <li>" <frame src='http://second'' id='frame1'/>"</li> </ul> </li> <li> <ul> <li>" <noframes>"</li> </ul> </li> <li> <ul> <li>" <div><script>alert('1');</script></div>"</li> </ul> </li> <li> <ul> <li>" <script src='http://third'></script>"</li> </ul> </li> <li>+" </noframes>"

    • "";
  • final String secondContent
  • = "<script>alert('2');</script>";
  • final String thirdContent
  • = "alert('3');";
  • final WebClient client = new WebClient();
    +
  • final MockWebConnection webConnection = new MockWebConnection( client );
  • webConnection.setResponse(URL_FIRST, firstContent);
  • webConnection.setResponse(URL_SECOND, secondContent);
  • webConnection.setResponse(URL_THIRD, thirdContent, "text/javascript");
    +
  • client.setWebConnection( webConnection );
  • final List expectedAlerts = Arrays.asList(new String[]{"2"});
  • ArrayList collectedAlerts = new ArrayList();
  • client.setAlertHandler( new CollectingAlertHandler(collectedAlerts) );
  • final HtmlPage firstPage = ( HtmlPage )client.getPage(URL_FIRST);
  • assertEquals( expectedAlerts, collectedAlerts );
  • }
    +
    +}

    • \ No newline at end of file

    Index: src/test/java/com/gargoylesoftware/htmlunit/html/HtmlInlineFrameTest.java

    ===================================================================

    --- src/test/java/com/gargoylesoftware/htmlunit/html/HtmlInlineFrameTest.java (revision 1363)

    +++ src/test/java/com/gargoylesoftware/htmlunit/html/HtmlInlineFrameTest.java (working copy)

    @@ -37,8 +37,12 @@

    */
    package com.gargoylesoftware.htmlunit.html;

    +import java.util.ArrayList;
    +import java.util.Arrays;
    import java.util.Collections;
    +import java.util.List;

    +import com.gargoylesoftware.htmlunit.CollectingAlertHandler;
    import com.gargoylesoftware.htmlunit.MockWebConnection;
    import com.gargoylesoftware.htmlunit.WebClient;
    import com.gargoylesoftware.htmlunit.WebTestCase;
    @@ -48,6 +52,7 @@

    *

    • @version $Revision$
    • @author Mike Bowler

      • @author Ahmed Ashour
        /
        public class HtmlInlineFrameTest extends WebTestCase {
        /        *
        @@ -122,4 +127,33 @@

        assertEquals( "http://third", iframe.getSrcAttribute() );
        assertEquals( "Third", ((HtmlPage)iframe.getEnclosedPage()).getTitleText() );
        }
        -}
        +

    • public void testScriptUnderIFrame() throws Exception {

    • final String firstContent
    • = ""
      • "<iframe src="http://second">"</li> </ul> </li> <li> <ul> <li>" <div><script>alert('1');</script></div>"</li> </ul> </li> <li> <ul> <li>" <script src='http://third'></script>"</li> </ul> </li> <li> <ul> <li>"</iframe>"
      • "";
    • final String secondContent
    • = "<script>alert('2');</script>";
    • final String thirdContent
    • = "alert('3');";
    • final WebClient client = new WebClient();
      +
    • final MockWebConnection webConnection = new MockWebConnection( client );
    • webConnection.setResponse(URL_FIRST, firstContent);
    • webConnection.setResponse(URL_SECOND, secondContent);
    • webConnection.setResponse(URL_THIRD, thirdContent, "text/javascript");
      +
    • client.setWebConnection( webConnection );
    • final List expectedAlerts = Arrays.asList(new String[]{"2"});
    • ArrayList collectedAlerts = new ArrayList();
    • client.setAlertHandler( new CollectingAlertHandler(collectedAlerts) );
    • final HtmlPage firstPage = ( HtmlPage )client.getPage(URL_FIRST);
    • assertEquals( expectedAlerts, collectedAlerts );
    • }
      +}

    \ No newline at end of file

 

Log in to post a comment.

MongoDB Logo MongoDB