Move XSS tests into a separate spec

spec/messages.js

@@ -889,66 +889,6 @@
             done();
         }));
 
-        it("will have properly escaped URLs",
-            mock.initConverse(
-                ['rosterGroupsFetched', 'chatBoxesFetched'], {},
-                async function (done, _converse) {
-
-            await test_utils.waitForRoster(_converse, 'current');
-            await test_utils.openControlBox(_converse);
-
-            const contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@montague.lit';
-            await test_utils.openChatBoxFor(_converse, contact_jid)
-            const view = _converse.api.chatviews.get(contact_jid);
-
-            let message = "http://www.opkode.com/'onmouseover='alert(1)'whatever";
-            await test_utils.sendMessage(view, message);
-
-            let msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML)
-                .toEqual('<a target="_blank" rel="noopener" href="http://www.opkode.com/%27onmouseover=%27alert%281%29%27whatever">http://www.opkode.com/\'onmouseover=\'alert(1)\'whatever</a>');
-
-            message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever';
-            await test_utils.sendMessage(view, message);
-
-            msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML).toEqual('<a target="_blank" rel="noopener" href="http://www.opkode.com/%22onmouseover=%22alert%281%29%22whatever">http://www.opkode.com/"onmouseover="alert(1)"whatever</a>');
-
-            message = "https://en.wikipedia.org/wiki/Ender's_Game";
-            await test_utils.sendMessage(view, message);
-
-            msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML).toEqual('<a target="_blank" rel="noopener" href="https://en.wikipedia.org/wiki/Ender%27s_Game">'+message+'</a>');
-
-            message = "<https://bugs.documentfoundation.org/show_bug.cgi?id=123737>";
-            await test_utils.sendMessage(view, message);
-
-            msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML).toEqual(
-                `&lt;<a target="_blank" rel="noopener" href="https://bugs.documentfoundation.org/show_bug.cgi?id=123737">https://bugs.documentfoundation.org/show_bug.cgi?id=123737</a>&gt;`);
-
-            message = '<http://www.opkode.com/"onmouseover="alert(1)"whatever>';
-            await test_utils.sendMessage(view, message);
-
-            msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML).toEqual(
-                '&lt;<a target="_blank" rel="noopener" href="http://www.opkode.com/%22onmouseover=%22alert%281%29%22whatever">http://www.opkode.com/"onmouseover="alert(1)"whatever</a>&gt;');
-
-            message = `https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2`
-            await test_utils.sendMessage(view, message);
-
-            msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
-            expect(msg.textContent).toEqual(message);
-            expect(msg.innerHTML).toEqual(
-                `<a target="_blank" rel="noopener" href="https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=%213m6%211e1%213m4%211sQ7SdHo_bPLPlLlU8GSGWaQ%212e0%217i13312%218i6656%214m5%213m4%211s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08%218m2%213d52.3773668%214d4.5489388%215m1%211e2">https://www.google.com/maps/place/Kochstraat+6,+2041+CE+Zandvoort/@52.3775999,4.548971,3a,15y,170.85h,88.39t/data=!3m6!1e1!3m4!1sQ7SdHo_bPLPlLlU8GSGWaQ!2e0!7i13312!8i6656!4m5!3m4!1s0x47c5ec1e56f845ad:0x1de0bc4a5771fb08!8m2!3d52.3773668!4d4.5489388!5m1!1e2</a>`);
-            done();
-        }));
-
         it("will render newlines",
             mock.initConverse(
                 ['rosterGroupsFetched', 'chatBoxesFetched'], {},

spec/muc.js

@@ -1731,38 +1731,6 @@
                 done();
             }));
 
-            it("escapes occupant nicknames when rendering them, to avoid JS-injection attacks",
-                mock.initConverse(['rosterGroupsFetched'], {},
-                async function (done, _converse) {
-
-                await test_utils.openAndEnterChatRoom(_converse, 'lounge@montague.lit', 'romeo');
-                /* <presence xmlns="jabber:client" to="jc@chat.example.org/converse.js-17184538"
-                 *      from="oo@conference.chat.example.org/&lt;img src=&quot;x&quot; onerror=&quot;alert(123)&quot;/&gt;">
-                 *   <x xmlns="http://jabber.org/protocol/muc#user">
-                 *    <item jid="jc@chat.example.org/converse.js-17184538" affiliation="owner" role="moderator"/>
-                 *    <status code="110"/>
-                 *   </x>
-                 * </presence>"
-                 */
-                const presence = $pres({
-                        to:'romeo@montague.lit/pda',
-                        from:"lounge@montague.lit/&lt;img src=&quot;x&quot; onerror=&quot;alert(123)&quot;/&gt;"
-                }).c('x').attrs({xmlns:'http://jabber.org/protocol/muc#user'})
-                    .c('item').attrs({
-                        jid: 'someone@montague.lit',
-                        role: 'moderator',
-                    }).up()
-                    .c('status').attrs({code:'110'}).nodeTree;
-
-                _converse.connection._dataRecv(test_utils.createRequest(presence));
-                const view = _converse.chatboxviews.get('lounge@montague.lit');
-                await u.waitUntil(() => view.el.querySelectorAll('li .occupant-nick').length, 500);
-                const occupants = view.el.querySelector('.occupant-list').querySelectorAll('li .occupant-nick');
-                expect(occupants.length).toBe(2);
-                expect(occupants[0].textContent.trim()).toBe("&lt;img src=&quot;x&quot; onerror=&quot;alert(123)&quot;/&gt;");
-                done();
-            }));
-
             it("indicates moderators and visitors by means of a special css class and tooltip",
                 mock.initConverse(
                     ['rosterGroupsFetched'], {'view_mode': 'fullscreen'},
@@ -2234,25 +2202,6 @@
                 done();
             }));
 
-            it("escapes the subject before rendering it, to avoid JS-injection attacks",
-                mock.initConverse(
-                    ['rosterGroupsFetched'], {},
-                    async function (done, _converse) {
-
-                await test_utils.openAndEnterChatRoom(_converse, 'jdev@conference.jabber.org', 'jc');
-                spyOn(window, 'alert');
-                const subject = '<img src="x" onerror="alert(\'XSS\');"/>';
-                const view = _converse.chatboxviews.get('jdev@conference.jabber.org');
-                view.model.set({'subject': {
-                    'text': subject,
-                    'author': 'ralphm'
-                }});
-                expect(sizzle('.chat-event:last').pop().textContent.trim()).toBe('Topic set by ralphm');
-                expect(view.el.querySelector('.chat-head__desc').textContent.trim()).toBe(subject);
-                done();
-            }));
-
-
             it("reconnects when no-acceptable error is returned when sending a message",
                 mock.initConverse(
                     ['rosterGroupsFetched'], {},

tests/runner.js

@@ -65,7 +65,8 @@ var specs = [
     "spec/login",
     "spec/register",
     "spec/http-file-upload",
-    "spec/emojis"
+    "spec/emojis",
+    "spec/xss"
 ];
 
 require(['console-reporter', 'mock', 'sinon'], (ConsoleReporter, mock, sinon) => {