1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/browser/components/sessionstore/test/browser_464620_a.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,54 @@
1.4 +<!-- Testcase originally by <moz_bug_r_a4@yahoo.com> -->
1.5 +
1.6 +<title>Test for bug 464620 (injection on input)</title>
1.7 +
1.8 +<iframe></iframe>
1.9 +<iframe onload="setup()"></iframe>
1.10 +
1.11 +<script>
1.12 + var targetUrl = "http://mochi.test:8888/browser/" +
1.13 + "browser/components/sessionstore/test/browser_464620_xd.html";
1.14 + var firstPass;
1.15 +
1.16 + function setup() {
1.17 + if (firstPass !== undefined)
1.18 + return;
1.19 + firstPass = frames[1].location.href == "about:blank";
1.20 + if (firstPass) {
1.21 + frames[0].location = 'data:text/html;charset=utf-8,<body onload="if (parent.firstPass) parent.step();"><input id="x" oninput="parent.xss()">XXX</body>';
1.22 + }
1.23 + frames[1].location = targetUrl;
1.24 + }
1.25 +
1.26 + function step() {
1.27 + var x = frames[0].document.getElementById("x");
1.28 + if (x.value == "")
1.29 + x.value = "ready";
1.30 + x.style.display = "none";
1.31 + frames[0].document.designMode = "on";
1.32 + }
1.33 +
1.34 + function xss() {
1.35 + step();
1.36 +
1.37 + var documentInjected = false;
1.38 + document.getElementsByTagName("iframe")[0].onload =
1.39 + function() { documentInjected = true; };
1.40 + frames[0].location = targetUrl;
1.41 +
1.42 + for (var c = 0; !documentInjected && c < 20; c++) {
1.43 + var r = new XMLHttpRequest();
1.44 + r.open("GET", location.href, false);
1.45 + r.overrideMimeType("text/plain");
1.46 + r.send(null);
1.47 + }
1.48 + document.getElementById("state").textContent = "done";
1.49 +
1.50 + var event = new MessageEvent('464620_a', { bubbles: true, cancelable: false,
1.51 + data: "done", origin: location.href,
1.52 + source: window });
1.53 + document.dispatchEvent(event);
1.54 + }
1.55 +</script>
1.56 +
1.57 +<p id="state">pending</p>
