add test

V4Fire · Sep 16, 2024 · 5cc47aa · 5cc47aa
1 parent e927425
commit 5cc47aa
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,12 @@ Changelog
 
 _Note: Gaps between patch versions are faulty, broken or test releases._
 
+## 4.0.0-beta.134 (2024-09-17)
+
+#### :rocket: New Feature
+
+* Added sanitizing to `toString` method to prevent XSS vulnerabilities `core/hydration-store`
+
 ## v4.0.0-beta.133 (2024-09-13)
 
 #### :bug: Bug Fix

diff --git a/src/core/hydration-store/CHANGELOG.md b/src/core/hydration-store/CHANGELOG.md
@@ -9,6 +9,12 @@ Changelog
 > - :house: [Internal]
 > - :nail_care: [Polish]
 
+## 4.0.0-beta.134 (2024-09-17)
+
+#### :rocket: New Feature
+
+* Added sanitizing to `toString` method to prevent XSS vulnerabilities
+
 ## 4.0.0-beta.108.a-new-hope (2024-07-15)
 
 #### :boom: Breaking Change

diff --git a/src/core/hydration-store/test/unit/json.ts b/src/core/hydration-store/test/unit/json.ts
@@ -25,7 +25,7 @@ test.describe('core/component/hydration converting to JSON', () => {
  serverHydrationStore = await hydrationAPI.evaluateHandle(({default: HydrationStore}) => new HydrationStore('server'));
  });
 
- test('should correctly convert the store to JSON', async ({page}) => {
+ test.only('should correctly convert the store to JSON', async ({page}) => {
  await serverHydrationStore.evaluate((ctx) => ctx.set('componentId', 'foo', {bar: 'baz'}));
 
  await appendJSONToDOM(page);
@@ -39,6 +39,22 @@ test.describe('core/component/hydration converting to JSON', () => {
  test.expect(valueByPath).toEqual({bar: 'baz'});
  });
 
+ test.only('should not add harmful HTML to the JSON', async ({page}) => {
+ await serverHydrationStore.evaluate((ctx) => {
+ ctx.set('componentId', 'foo', {
+ bar: 'baz',
+ foo: '<script>alert(1)</script>'
+ });
+ });
+
+ await appendJSONToDOM(page);
+
+ const clientHydrationStore = await hydrationAPI.evaluateHandle(({default: HydrationStore}) => new HydrationStore('client'));
+
+ const valueByPath = await clientHydrationStore.evaluate((ctx) => ctx.get('componentId', 'foo'));
+ test.expect(valueByPath).toEqual({bar: 'baz', foo: ''});
+ });
+
  test('should remove value from the JSON store when it is removed from the store', async ({page}) => {
  await serverHydrationStore.evaluate((ctx) => {
  ctx.set('componentId', 'foo', {bar: 'baz'});
@@ -100,7 +116,7 @@ test.describe('core/component/hydration converting to JSON', () => {
 
  await page.evaluate(([json]) => {
  const div = document.createElement('div');
- div.innerHTML = `<noframes id="hydration-store" style="display: none">${json}</noframes>`;
+ div.innerHTML = `<noframes id="hydration-store" style="display: none;">${json}</noframes>`;
  document.body.appendChild(div);
  }, [json]);
  }