From 9da4afa6c6b0eab00a9d993a863e7cd5daa916dc Mon Sep 17 00:00:00 2001
From: Blink WPT Bot <blink-w3c-test-autoroller@chromium.org>
Date: Mon, 23 Dec 2024 16:23:57 -0800
Subject: [PATCH] [Sanitizer] Add tests for safe + unsafe cases. (#49761)

This tests for differences between setHTML and setHTMLUnsafe.

Since the html5lib testcase format only supports one result per testcase, we use two testcase files with identical inputs,
one each with the expectations for safe and unsafe variants.

Also, a drive-by fix for an issue uncovered by the tests: The
spec demands we block insertion in a <script> element (in safe cases).

Bug: 356601280
Change-Id: I1fb19f60fdcd7262292a983b548baebcaf43a440
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6039899
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Yifan Luo <lyf@chromium.org>
Reviewed-by: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1397856}

Co-authored-by: Daniel Vogelheim <vogelheim@chromium.org>
---
 sanitizer-api/sethtml-safety.dat            | 50 +++++++++++++++++
 sanitizer-api/sethtml-safety.tentative.html | 49 +++++++++++++++++
 sanitizer-api/sethtml-unsafety.dat          | 61 +++++++++++++++++++++
 3 files changed, 160 insertions(+)
 create mode 100644 sanitizer-api/sethtml-safety.dat
 create mode 100644 sanitizer-api/sethtml-safety.tentative.html
 create mode 100644 sanitizer-api/sethtml-unsafety.dat

diff --git a/sanitizer-api/sethtml-safety.dat b/sanitizer-api/sethtml-safety.dat
new file mode 100644
index 00000000000000..e53a988a511e7a
--- /dev/null
+++ b/sanitizer-api/sethtml-safety.dat
@@ -0,0 +1,50 @@
+#data
+test
+#document-fragment
+script
+#document
+
+#data
+<p>Hello</p>
+#document-fragment
+script
+#document
+
+#data
+<div>Hello<script>World</script>xxx
+#document
+| <div>
+|   "Hello"
+|   "xxx"
+
+#data
+<div>Hello<script>World</script>xxx
+#config
+{ "elements": ["div", "script"] }
+#document
+| <div>
+|   "Hello"
+|   "xxx"
+
+#data
+<svg>Hello<script>World</script>xxx
+#document
+| <svg svg>
+|   "Hello"
+|   "xxx"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#document
+| <img>
+|   src="https://bla.com/blubb"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#config
+{ "attributes": ["src", "onclick", "one"]}
+#document
+| <img>
+|   one="two"
+|   src="https://bla.com/blubb"
+
diff --git a/sanitizer-api/sethtml-safety.tentative.html b/sanitizer-api/sethtml-safety.tentative.html
new file mode 100644
index 00000000000000..d7a10c0477be80
--- /dev/null
+++ b/sanitizer-api/sethtml-safety.tentative.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<head>
+<title>Testcases from the previous Sanitizer API</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/html5lib-testcase-support.js"></script>
+<script>
+promise_test(async _ => {
+  const safety = await fetch("sethtml-safety.dat").
+          then(response => response.text()).
+          then(parse_html5lib_testcases);
+  const unsafety = await fetch("sethtml-unsafety.dat").
+          then(response => response.text()).
+          then(parse_html5lib_testcases);
+
+  // Ensure that the "safe" and "unsafe" testcase inputs are the same and that
+  // they only differ only in the expected outcome.
+  assert_equals(safety.length, unsafety.length);
+  for (let i = 0; i < safety.length; i++) {
+    assert_equals(safety[i].data, unsafety[i].data);
+    assert_equals(safety[i].config, unsafety[i].config);
+    assert_equals(safety[i]["document-fragment"], unsafety[i]["document-fragment"]);
+  }
+
+  // The main tests here are non-async. Let's run them here, to make sure the
+  // two fetches have completed.
+  test_each("setHTML", safety);
+  test_each("setHTMLUnsafe", unsafety);
+}, "wrapper");
+
+function test_each(method, testcases) {
+  testcases.forEach((testcase, index) => {
+    test(_ => {
+      const context = document.createElement(testcase["document-fragment"] ?? "div");
+      let config = undefined;
+      try {
+        config = JSON.parse(testcase.config);
+      } catch { }
+
+      context[method].call(context, testcase.data, { sanitizer: config });
+      assert_testcase(context, testcase);
+    }, `Testcase #${index}, ${method}("${testcase.data})".`);
+  });
+}
+</script>
+</head>
+<body>
+</body>
+
diff --git a/sanitizer-api/sethtml-unsafety.dat b/sanitizer-api/sethtml-unsafety.dat
new file mode 100644
index 00000000000000..b83004dfcb8e9e
--- /dev/null
+++ b/sanitizer-api/sethtml-unsafety.dat
@@ -0,0 +1,61 @@
+#data
+test
+#document-fragment
+script
+#document
+| "test"
+
+#data
+<p>Hello</p>
+#document-fragment
+script
+#document
+| "<p>Hello</p>"
+
+#data
+<div>Hello<script>World</script>xxx
+#document
+| <div>
+|   "Hello"
+|   <script>
+|     "World"
+|   "xxx"
+
+#data
+<div>Hello<script>World</script>xxx
+#config
+{ "elements": ["div", "script"] }
+#document
+| <div>
+|   "Hello"
+|   <script>
+|     "World"
+|   "xxx"
+
+#data
+<svg>Hello<script>World</script>xxx
+#document
+| <svg svg>
+|   "Hello"
+|   <svg script>
+|     "World"
+|   "xxx"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#document
+| <img>
+|   onclick="2+2"
+|   one="two"
+|   src="https://bla.com/blubb"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#config
+{ "attributes": ["src", "onclick", "one"]}
+#document
+| <img>
+|   onclick="2+2"
+|   one="two"
+|   src="https://bla.com/blubb"
+