Test to ensure we're escaping group labels from Prototype

Quick note: this uses the idiom `div.innerHTML = tmpl` instead of what we've been using in our other tests, which is `div.update(tmpl)` because of some fun stuff that Prototype does when one calls `update`: docs: http://api.prototypejs.org/dom/Element/prototype/update/ Relevant quote for funsies: > If newContent is a string and contains one or more inline <script> > tags, the scripts are scheduled to be evaluated after a very brief pause > (using Function#defer) to allow the browser to finish updating the DOM. Yeah.
harvesthq · Jun 7, 2018 · 053057e · 053057e
1 parent a4cf007
commit 053057e
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/spec/proto/bugfixes.spec.coffee b/spec/proto/bugfixes.spec.coffee
@@ -0,0 +1,32 @@
+describe "Bugfixes", ->
+  it "https://github.com/harvesthq/chosen/issues/2996 - XSS Vulnerability with `include_group_label_in_selected: true`", ->
+    tmpl = "
+      <select>
+        <option value=''></option>
+        <optgroup id='xss' label='</script><script>console.log(1)</script>'>
+          <option>an xss option</option>
+        </optgroup>
+      </select>
+    "
+    div = new Element("div")
+    document.body.insert(div)
+    div.innerHTML = tmpl
+
+    select = div.down("select")
+    new Chosen select,
+      include_group_label_in_selected: true
+
+    # open the drop
+    container = div.down(".chosen-container")
+    simulant.fire(container, "mousedown") # open the drop
+
+    xss_option = container.select(".active-result").last()
+    expect(xss_option.innerHTML).toBe "an xss option"
+
+    # trigger the selection of the xss option
+    simulant.fire(xss_option, "mouseup")
+
+    # make sure the script tags are escaped correctly
+    label_html = container.down("a.chosen-single").innerHTML
+    expect(label_html).toContain('&lt;/script&gt;&lt;script&gt;console.log(1)&lt;/script&gt;')
+