Better handling for createElement; bug 625690

2011-02-01 07:49:48 -05:00 · 2011-02-01 07:49:48 -05:00 · 85769994b2
--- a/tests/test_js_functions.py
+++ b/tests/test_js_functions.py
@ -0,0 +1,39 @@
+import os
+import validator.testcases.scripting
+validator.testcases.scripting.traverser.DEBUG = True
+
+def _do_test_raw(script):
+    "Performs a test on a JS file"
+    
+    path = "foo"
+
+    err = validator.testcases.scripting.traverser.MockBundler()
+    validator.testcases.scripting.test_js_file(err, path, script)
+
+    return err
+
+def _get_var(err, name):
+    return err.final_context.data[name].get_literal_value()
+
+def test_basic_math():
+    "Tests that contexts work and that basic math is executed properly"
+    
+    err = _do_test_raw("""
+    var x = foo;
+    foo.bar.whateverElement("script");
+    """)
+    assert err.message_count == 0
+
+    err = _do_test_raw("""
+    var x = foo;
+    foo.bar.createElement("scr"+"ipt");
+    """)
+    assert err.message_count == 1
+    
+    err = _do_test_raw("""
+    var x = foo;
+    foo.bar.createElementNS("http://foo.bar/", "asdf:" +"scr"+"ipt");
+    """)
+    assert err.message_count == 1
+
+
--- a/validator/testcases/javascript/actions.py
+++ b/validator/testcases/javascript/actions.py
@ -210,7 +210,28 @@ def _call_expression(traverser, node):
                                  line=traverser.line,
                                  column=traverser.position,
                                  context=traverser.context)
-
+    elif node["callee"]["type"] == "MemberExpression" and \
+         node["callee"]["property"]["type"] == "Identifier":
+        identifier_name =  node["callee"]["property"]["name"]
+        simple_args = [str(traverser._traverse_node(a).get_literal_value()) for
+                       a in
+                       args]
+        if (identifier_name == "createElement" and
+            simple_args[0] == "script") or \
+           (identifier_name == "createElementNS" and
+            "script" in simple_args[1]):
+            traverser.err.warning(("testcases_javascript_actions",
+                                   "_call_expression",
+                                   "called_createelement"),
+                                  "createElement() used to create script tag"
+                                  "The createElement() function was used to "
+                                  "create a script tag in a JavaScript file. "
+                                  "Add-ons are not allowed to create script "
+                                  "tags or load code dynamically from the web.",
+                                  traverser.filename,
+                                  line=traverser.line,
+                                  column=traverser.position,
+                                  context=traverser.context)
    return True

 def _call_settimeout(a,t):
--- a/validator/testcases/scripting.py
+++ b/validator/testcases/scripting.py
@ -121,8 +121,7 @@ def _regex_tests(err, data, filename):
              "extensions\\.blocklist\\.url": np_warning,
              "extensions\\.blocklist\\.level": np_warning,
              "extensions\\.blocklist\\.interval": np_warning,
-              "general\\.useragent": np_warning,
-              "createElement": "Markup elements may not be created dynamically"}
+              "general\\.useragent": np_warning,}

    for regex, message in errors.items():
        reg = re.compile(regex)