Bug 1718089 [wpt PR 29480] - [Sanitizer API] Adapt new string API. Also adapt tests., a=testonly

Automatic update from web-platform-tests [Sanitizer API] Adapt new string API. Also adapt tests. Implement Sanitizer.sanitizeFor. Drive-by fix: Ensure secure context. Both name, exact edge and error conditions for these methods are still in discussion, so this will likely require follow-on work. But the basics we're implementing here allow us to experiment, and will also likely hold. Ref: https://github.com/WICG/sanitizer-api/pull/99 Bug: 1221153 Change-Id: I9c7f74f71e07f5fc1a172ae8f7f6181178f3c8d9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2969103 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Cr-Commit-Position: refs/heads/master@{#899085} -- wpt-commits: 7bf0a3380a7a1a553dacde126cce91ba224f66e2 wpt-pr: 29480
2021-07-17 09:45:14 +00:00 · 2021-07-17 09:45:14 +00:00 · ab27f9b1a9
--- a/testing/web-platform/tests/sanitizer-api/sanitizer-sanitize.https.tentative.html
+++ b/testing/web-platform/tests/sanitizer-api/sanitizer-sanitize.https.tentative.html
@ -10,14 +10,29 @@
 <script>
    function getString(fragment) {
      d = document.createElement("div");
-      d.appendChild(fragment);
+      d.replaceChildren(...fragment.cloneNode(true).childNodes);
      return d.innerHTML;
    }

+    function getFragment(markup) {
+      const d = document.createElement("div");
+      d.innerHTML = markup;
+      let f = document.createDocumentFragment();
+      f.replaceChildren(...d.childNodes);
+      return f;
+    }
+    function getDoc(markup) {
+      return new DOMParser().parseFromString(markup, "text/html");
+    }
+    function assert_node_equals(node1, node2) {
+      assert_true(node1 instanceof Node && node1.isEqualNode(node2),
+                  `Node[${getString(node1)}] == Node[${getString(node2)}]`);
+    }
+
    test(t => {
-      let s = new Sanitizer({});
+      let s = new Sanitizer();
      assert_throws_js(TypeError, _ => s.sanitize());
-    }, "SanitizerAPI sanitize function without argument should throw an error.");
+    }, "Sanitizer.sanitize() should throw an error.");

    test(t => {
      let s = new Sanitizer({});
@ -26,22 +41,31 @@
      assert_equals(getString(fragment), "null");
    }, "SanitizerAPI sanitize function for null.");

-    testcases.forEach(c => test(t => {
-        let s = new Sanitizer(c.config_input);
-        fragment = s.sanitize(c.value);
-        assert_true(fragment instanceof DocumentFragment);
-        assert_equals(getString(fragment), c.result);
-    }, "SanitizerAPI with config: " + c.message + ", sanitize from string function for " + c.message));
+    const probe_string = `<a href="about:blank">hello</a><script>cons` +
+        `ole.log("world!");<` + `/script>`;
+    test(t => {
+      const sanitized = new Sanitizer().sanitize(getFragment(probe_string));
+      const expected = getFragment(probe_string.substr(0, 31));
+      assert_node_equals(expected, sanitized);
+    }, "Sanitizer.sanitze(DocumentFragment)");
+
+    test(t => {
+      const sanitized = new Sanitizer().sanitize(getDoc(probe_string));
+      const expected = getFragment(probe_string.substr(0, 31));
+      assert_node_equals(expected, sanitized);
+    }, "Sanitizer.sanitze(Document)");
+

    async_test(t => {
      let s = new Sanitizer();
-      fragment = s.sanitize("<img src='http://bla/'>");
+      fragment = s.sanitize(getFragment("<img src='http://bla/'>"));
      t.step_timeout(_ => {
        assert_equals(performance.getEntriesByName("http://bla/").length, 0);
        t.done();
      }, 1000);
    }, "SanitizerAPI sanitize function shouldn't load the image.");

+
    testcases.forEach(c => test(t => {
        let s = new Sanitizer(c.config_input);
        var dom = new DOMParser().parseFromString("<!DOCTYPE html><body>" + c.value, "text/html");
--- a/testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.html
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.html
@ -75,26 +75,4 @@
      resolve();
    });
  }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using.");
-
-  promise_test(t => {
-    let p = Promise.resolve()
-        .then(promise_violation("require-trusted-types-for 'script'"));
-    let s = new Sanitizer();
-    assert_throws_js(TypeError,
-        _ => {
-          fragment = s.sanitize("testHTML");
-        });
-    return p;
-  }, "Require trusted types for 'script' block Sanitizer sanitize from string API.");
-
-  promise_test(t => {
-    let p = Promise.resolve()
-        .then(promise_violation("require-trusted-types-for 'script'"));
-    let s = new Sanitizer();
-    assert_throws_js(TypeError,
-        _ => {
-          fragment = s.sanitize(null);
-        });
-    return p;
-  }, "Require trusted types for 'script' block Sanitizer sanitize null from string API.");
 </script>