mirror of
https://github.com/docsifyjs/docsify.git
synced 2025-12-08 19:55:52 +00:00
62d756c447
BREAKING: The new project layout might break in some tooling setups. We've added an exports field to `package.json` to specify where statements like `import ... from 'docsify'` will import from, and left the `main` and `unpkg` fields as-is for backwards compatibility with the global <script> import method. Most people who use a non-module `<script>` tag to import Docsify will not notice a difference. Anyone else who is importing Docsify into a specilized build setup using `import` statements has a chance of being broken, so we've marked this as BREAKING.
35 lines
1022 B
JavaScript
35 lines
1022 B
JavaScript
import docsifyInit from '../helpers/docsify-init.js';
|
|
import { test, expect } from './fixtures/docsify-init-fixture.js';
|
|
|
|
test.describe('Security - Cross Site Scripting (XSS)', () => {
|
|
const sharedOptions = {
|
|
markdown: {
|
|
homepage: '# Hello World',
|
|
},
|
|
routes: {
|
|
'test.md': '# Test Page',
|
|
},
|
|
};
|
|
const slashStrings = ['//', '///'];
|
|
|
|
for (let slashString of slashStrings) {
|
|
const hash = `#${slashString}domain.com/file.md`;
|
|
|
|
test(`should not load remote content from hash (${hash})`, async ({
|
|
page,
|
|
}) => {
|
|
const mainElm = page.locator('#main');
|
|
|
|
await docsifyInit(sharedOptions);
|
|
await expect(mainElm).toContainText('Hello World');
|
|
await page.evaluate(() => (location.hash = '#/test'));
|
|
await expect(mainElm).toContainText('Test Page');
|
|
await page.evaluate(newHash => {
|
|
location.hash = newHash;
|
|
}, hash);
|
|
await expect(mainElm).toContainText('Hello World');
|
|
expect(page.url()).toMatch(/#\/$/);
|
|
});
|
|
}
|
|
});
|