(svg)
| 281 | const parser = new DOMParser(); |
| 282 | |
| 283 | const expectNoEventHandlerAttrs = (svg) => { |
| 284 | const doc = parser.parseFromString(svg, 'image/svg+xml'); |
| 285 | const nodes = doc.getElementsByTagName('*'); |
| 286 | for (const el of nodes) { |
| 287 | for (const attr of el.attributes) { |
| 288 | const name = attr.name.toLowerCase(); |
| 289 | if (name.startsWith('on')) { |
| 290 | fail(`parsed SVG has event-handler attribute <${el.nodeName} ${name}="${attr.value}">`); |
| 291 | } |
| 292 | } |
| 293 | } |
| 294 | }; |
| 295 | |
| 296 | const runXssCase = (payload, done) => { |
| 297 | const fig = { |
no outgoing calls
no test coverage detected
searching dependent graphs…