Skip to content

Commit

Permalink
fix: do not allow postMessage with axe version of x.y.z (#2790)
Browse files Browse the repository at this point in the history
  • Loading branch information
straker authored Feb 5, 2021
1 parent 5c8dec8 commit 5acda82
Show file tree
Hide file tree
Showing 9 changed files with 102 additions and 86 deletions.
5 changes: 1 addition & 4 deletions lib/core/utils/respondable.js
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,7 @@ function verify(postedMessage) {
var messageSource = _getSource();
return (
// Check the version matches
postedMessage._source === messageSource ||
// Allow free communication with axe test
postedMessage._source === 'axeAPI.x.y.z' ||
messageSource === 'axeAPI.x.y.z'
postedMessage._source === messageSource
);
}
return false;
Expand Down
66 changes: 37 additions & 29 deletions test/core/base/audit.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ describe('Audit', function() {

var Audit = axe._thisWillBeDeletedDoNotUse.base.Audit;
var Rule = axe._thisWillBeDeletedDoNotUse.base.Rule;
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
var a, getFlattenedTree;
var isNotCalled = function(err) {
throw err || new Error('Reject should not be called');
Expand Down Expand Up @@ -115,7 +116,9 @@ describe('Audit', function() {
audit._constructHelpUrls();
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/target?application=axeAPI'
});
});
it('should use changed branding', function() {
Expand All @@ -131,7 +134,9 @@ describe('Audit', function() {
audit._constructHelpUrls();
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI'
'https://dequeuniversity.com/rules/thing/' +
ver +
'/target?application=axeAPI'
});
});
it('should use changed application', function() {
Expand All @@ -147,7 +152,9 @@ describe('Audit', function() {
audit._constructHelpUrls();
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/target?application=thing'
});
});

Expand All @@ -159,7 +166,9 @@ describe('Audit', function() {
selector: 'bob',
metadata: {
helpUrl:
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
'https://dequeuniversity.com/rules/myproject/' +
ver +
'/target1?application=axeAPI'
}
});
audit.addRule({
Expand All @@ -170,7 +179,9 @@ describe('Audit', function() {

assert.equal(
audit.data.rules.target1.helpUrl,
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
'https://dequeuniversity.com/rules/myproject/' +
ver +
'/target1?application=axeAPI'
);
assert.isUndefined(audit.data.rules.target2);

Expand All @@ -180,11 +191,15 @@ describe('Audit', function() {

assert.equal(
audit.data.rules.target1.helpUrl,
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
'https://dequeuniversity.com/rules/myproject/' +
ver +
'/target1?application=axeAPI'
);
assert.equal(
audit.data.rules.target2.helpUrl,
'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI'
'https://dequeuniversity.com/rules/thing/' +
ver +
'/target2?application=axeAPI'
);
});
it('understands prerelease type version numbers', function() {
Expand All @@ -205,24 +220,7 @@ describe('Audit', function() {
'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI'
);
});
it('sets x.y as version for invalid versions', function() {
var tempVersion = axe.version;
var audit = new Audit();
audit.addRule({
id: 'target',
matches: 'function () {return "hello";}',
selector: 'bob'
});

axe.version = 'in-3.0-valid';
audit._constructHelpUrls();

axe.version = tempVersion;
assert.equal(
audit.data.rules.target.helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
);
});
it('matches major release versions', function() {
var tempVersion = axe.version;
var audit = new Audit();
Expand Down Expand Up @@ -256,7 +254,9 @@ describe('Audit', function() {
audit._constructHelpUrls();
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI&lang=de'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/target?application=axeAPI&lang=de'
});
});
});
Expand Down Expand Up @@ -296,7 +296,9 @@ describe('Audit', function() {
});
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/target?application=thing'
});
});
it('should call _constructHelpUrls even when nothing changed', function() {
Expand All @@ -311,7 +313,9 @@ describe('Audit', function() {
audit.setBranding(undefined);
assert.deepEqual(audit.data.rules.target, {
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/target?application=axeAPI'
});
});
it('should not replace custom set branding', function() {
Expand All @@ -322,7 +326,9 @@ describe('Audit', function() {
selector: 'bob',
metadata: {
helpUrl:
'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
'https://dequeuniversity.com/rules/customer-x/' +
ver +
'/target?application=axeAPI'
}
});
audit.setBranding({
Expand All @@ -331,7 +337,9 @@ describe('Audit', function() {
});
assert.equal(
audit.data.rules.target.helpUrl,
'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
'https://dequeuniversity.com/rules/customer-x/' +
ver +
'/target?application=axeAPI'
);
});
});
Expand Down
2 changes: 1 addition & 1 deletion test/core/export.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ describe('export', function() {
assert.isDefined(window.axe);
});
it('should define version', function() {
assert.equal(axe.version, 'x.y.z');
assert.isNotNull(axe.version);
});
});
11 changes: 8 additions & 3 deletions test/core/public/configure.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ describe('axe.configure', function() {
// var Check = axe._thisWillBeDeletedDoNotUse.base.Check;
var fixture = document.getElementById('fixture');
var axeVersion = axe.version;
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));

afterEach(function() {
fixture.innerHTML = '';
Expand Down Expand Up @@ -96,7 +97,7 @@ describe('axe.configure', function() {
assert.lengthOf(axe._audit.rules, 1);
assert.equal(
axe._audit.data.rules.bob.helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI'
);
axe.configure({
branding: {
Expand All @@ -106,7 +107,9 @@ describe('axe.configure', function() {
});
assert.equal(
axe._audit.data.rules.bob.helpUrl,
'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
'https://dequeuniversity.com/rules/thung/' +
ver +
'/bob?application=thing'
);
});

Expand All @@ -129,7 +132,9 @@ describe('axe.configure', function() {

assert.equal(
axe._audit.data.rules.bob.helpUrl,
'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
'https://dequeuniversity.com/rules/thung/' +
ver +
'/bob?application=thing'
);
});

Expand Down
29 changes: 22 additions & 7 deletions test/core/public/get-rules.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
describe('axe.getRules', function() {
'use strict';
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));

beforeEach(function() {
axe._load({
Expand Down Expand Up @@ -46,7 +47,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[0].help, 'halp');
assert.equal(
retValue[0].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule1?application=axeAPI'
);
assert.deepEqual(retValue[0].tags, ['tag1']);

Expand All @@ -55,7 +58,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[1].help, 'halp me!');
assert.equal(
retValue[1].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule2?application=axeAPI'
);
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);

Expand All @@ -67,7 +72,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[0].help, 'halp me!');
assert.equal(
retValue[0].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule2?application=axeAPI'
);
assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']);
});
Expand All @@ -85,7 +92,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[0].help, 'halp');
assert.equal(
retValue[0].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule1?application=axeAPI'
);
assert.deepEqual(retValue[0].tags, ['tag1']);

Expand All @@ -94,7 +103,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[1].help, 'halp me!');
assert.equal(
retValue[1].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule2?application=axeAPI'
);
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
});
Expand All @@ -106,7 +117,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[0].help, 'halp');
assert.equal(
retValue[0].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule1?application=axeAPI'
);
assert.deepEqual(retValue[0].tags, ['tag1']);

Expand All @@ -115,7 +128,9 @@ describe('axe.getRules', function() {
assert.equal(retValue[1].help, 'halp me!');
assert.equal(
retValue[1].helpUrl,
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
'https://dequeuniversity.com/rules/axe/' +
ver +
'/awesomeRule2?application=axeAPI'
);
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
});
Expand Down
17 changes: 13 additions & 4 deletions test/core/public/run-rules.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
describe('runRules', function() {
'use strict';
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));

// These tests can sometimes be flaky in IE, allow for up to 3 retries
if (axe.testUtils.isIE11) {
Expand Down Expand Up @@ -206,7 +207,9 @@ describe('runRules', function() {
{
id: 'div#target',
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
'https://dequeuniversity.com/rules/axe/' +
ver +
'/div#target?application=axeAPI',
pageLevel: false,
impact: null,
inapplicable: [],
Expand Down Expand Up @@ -245,7 +248,9 @@ describe('runRules', function() {
{
id: 'first-div',
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
'https://dequeuniversity.com/rules/axe/' +
ver +
'/first-div?application=axeAPI',
pageLevel: false,
impact: null,
inapplicable: [],
Expand Down Expand Up @@ -512,7 +517,9 @@ describe('runRules', function() {
{
id: 'div#target',
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
'https://dequeuniversity.com/rules/axe/' +
ver +
'/div#target?application=axeAPI',
pageLevel: false,
foo: 'bar',
stuff: 'blah',
Expand Down Expand Up @@ -552,7 +559,9 @@ describe('runRules', function() {
{
id: 'first-div',
helpUrl:
'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
'https://dequeuniversity.com/rules/axe/' +
ver +
'/first-div?application=axeAPI',
pageLevel: false,
bar: 'foo',
stuff: 'no',
Expand Down
Loading

0 comments on commit 5acda82

Please sign in to comment.