(payload, done)
| 294 | }; |
| 295 | |
| 296 | const runXssCase = (payload, done) => { |
| 297 | const fig = { |
| 298 | data: [{ x: [1], y: [1], type: 'scatter' }], |
| 299 | layout: { annotations: [{ x: 1, y: 1, showarrow: false, text: payload }] } |
| 300 | }; |
| 301 | |
| 302 | Plotly.newPlot(gd, fig) |
| 303 | .then(() => Plotly.toImage(gd, { format: 'svg', imageDataOnly: true })) |
| 304 | .then((svg) => expectNoEventHandlerAttrs(decodeURIComponent(svg))) |
| 305 | .then(done, done.fail); |
| 306 | }; |
| 307 | |
| 308 | it('should not let <span style=...> entity-encoded quotes escape attribute context', (done) => { |
| 309 | runXssCase('<span style="x:" onmouseover="__xss=1" a="">hi</span>', done); |
no test coverage detected
searching dependent graphs…