HTML and CSS Reference
In-Depth Information
The server currently does not filter messages in any way. To avoid users ef-
fortlessly hijacking the chat client, we will add one test that expects any messages
including HTML to be escaped, as seen in Listing 15.58.
Listing 15.58
Expecting basic cross site scripting protection
"test should escape HTML in messages": function () {
this.controller.addMessage({
user: "Dr. Evil",
message: "<script>window.alert('p4wned!');</script>"
});
var expected = "<script>window.alert('p4wned!');" +
"</script>";
var dd = this.element.getElementsByTagName("dd")[1];
assertEquals(expected, dd.innerHTML);
}
The test fails; no one is stopping Dr. Evil from having his way with the chat
client. Listing 15.59 adds basic protection against script injection.
Listing 15.59
Adding basic XSS protection
function addMessage(message) {
/* ... */
msg.innerHTML = message.message.replace(/</g, "<");
this.view.appendChild(msg);
}
15.4.4 Repeated Messages From Same User
Before we get going on the message form controller, we will add one more test. If we
receive multiple messages in a row from the same user, we will expect the controller
to not repeat the user. In other words, if two consecutive messages originate from
the same user, we will not add a second
dt
element. Listing 15.60 tests for this
feature by adding two messages and expecting only one
dt
element.
Listing 15.60
Expecting controller not to repeat
dt
elements
"test should not repeat same user dt's": function () {
this.controller.addMessage({
user: "Kyle",
message: "One-two-three not it!"
});
