MCPcopy
hub / github.com/larksuite/cli / TestRun_EventHandlerAttrBlocked

Function TestRun_EventHandlerAttrBlocked

shortcuts/mail/lint/linter_test.go:222–236  ·  view source on GitHub ↗

TestRun_EventHandlerAttrBlocked verifies on*-handlers (onclick etc.) are stripped — they are an event-handler injection vector.

(t *testing.T)

Source from the content-addressed store, hash-verified

220// TestRun_EventHandlerAttrBlocked verifies on*-handlers (onclick etc.) are
221// stripped — they are an event-handler injection vector.
222func TestRun_EventHandlerAttrBlocked(t *testing.T) {
223 rep := Run(`<p onclick="alert(1)" id="ok">x</p>`, Options{})
224 if len(rep.Blocked) != 1 {
225 t.Fatalf("expected 1 blocked finding, got %d", len(rep.Blocked))
226 }
227 if rep.Blocked[0].RuleID != RuleAttrEventHandlerBlocked {
228 t.Errorf("rule = %s, want %s", rep.Blocked[0].RuleID, RuleAttrEventHandlerBlocked)
229 }
230 if strings.Contains(rep.CleanedHTML, "onclick") {
231 t.Errorf("onclick should be stripped, cleaned=%q", rep.CleanedHTML)
232 }
233 if !strings.Contains(rep.CleanedHTML, `id="ok"`) {
234 t.Errorf("non-handler attrs should survive, cleaned=%q", rep.CleanedHTML)
235 }
236}
237
238// TestRun_OnErrorAttrBlocked tests one of the more common XSS vectors.
239func TestRun_OnErrorAttrBlocked(t *testing.T) {

Callers

nothing calls this directly

Calls 2

RunFunction · 0.70
ContainsMethod · 0.45

Tested by

no test coverage detected