[Sanitizer] Add tests for safe + unsafe cases. (web-platform-tests#49761

)

This tests for differences between setHTML and setHTMLUnsafe.

Since the html5lib testcase format only supports one result per testcase, we use two testcase files with identical inputs,
one each with the expectations for safe and unsafe variants.

Also, a drive-by fix for an issue uncovered by the tests: The
spec demands we block insertion in a <script> element (in safe cases).

Bug: 356601280
Change-Id: I1fb19f60fdcd7262292a983b548baebcaf43a440
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6039899
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Yifan Luo <lyf@chromium.org>
Reviewed-by: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1397856}

Co-authored-by: Daniel Vogelheim <vogelheim@chromium.org>

sanitizer-api/sethtml-safety.dat

@@ -0,0 +1,50 @@
+#data
+test
+#document-fragment
+script
+#document
+
+#data
+<p>Hello</p>
+#document-fragment
+script
+#document
+
+#data
+<div>Hello<script>World</script>xxx
+#document
+| <div>
+|   "Hello"
+|   "xxx"
+
+#data
+<div>Hello<script>World</script>xxx
+#config
+{ "elements": ["div", "script"] }
+#document
+| <div>
+|   "Hello"
+|   "xxx"
+
+#data
+<svg>Hello<script>World</script>xxx
+#document
+| <svg svg>
+|   "Hello"
+|   "xxx"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#document
+| <img>
+|   src="https://bla.com/blubb"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#config
+{ "attributes": ["src", "onclick", "one"]}
+#document
+| <img>
+|   one="two"
+|   src="https://bla.com/blubb"
+

sanitizer-api/sethtml-safety.tentative.html

@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<head>
+<title>Testcases from the previous Sanitizer API</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/html5lib-testcase-support.js"></script>
+<script>
+promise_test(async _ => {
+  const safety = await fetch("sethtml-safety.dat").
+          then(response => response.text()).
+          then(parse_html5lib_testcases);
+  const unsafety = await fetch("sethtml-unsafety.dat").
+          then(response => response.text()).
+          then(parse_html5lib_testcases);
+
+  // Ensure that the "safe" and "unsafe" testcase inputs are the same and that
+  // they only differ only in the expected outcome.
+  assert_equals(safety.length, unsafety.length);
+  for (let i = 0; i < safety.length; i++) {
+    assert_equals(safety[i].data, unsafety[i].data);
+    assert_equals(safety[i].config, unsafety[i].config);
+    assert_equals(safety[i]["document-fragment"], unsafety[i]["document-fragment"]);
+  }
+
+  // The main tests here are non-async. Let's run them here, to make sure the
+  // two fetches have completed.
+  test_each("setHTML", safety);
+  test_each("setHTMLUnsafe", unsafety);
+}, "wrapper");
+
+function test_each(method, testcases) {
+  testcases.forEach((testcase, index) => {
+    test(_ => {
+      const context = document.createElement(testcase["document-fragment"] ?? "div");
+      let config = undefined;
+      try {
+        config = JSON.parse(testcase.config);
+      } catch { }
+
+      context[method].call(context, testcase.data, { sanitizer: config });
+      assert_testcase(context, testcase);
+    }, `Testcase #${index}, ${method}("${testcase.data})".`);
+  });
+}
+</script>
+</head>
+<body>
+</body>
+

sanitizer-api/sethtml-unsafety.dat

@@ -0,0 +1,61 @@
+#data
+test
+#document-fragment
+script
+#document
+| "test"
+
+#data
+<p>Hello</p>
+#document-fragment
+script
+#document
+| "<p>Hello</p>"
+
+#data
+<div>Hello<script>World</script>xxx
+#document
+| <div>
+|   "Hello"
+|   <script>
+|     "World"
+|   "xxx"
+
+#data
+<div>Hello<script>World</script>xxx
+#config
+{ "elements": ["div", "script"] }
+#document
+| <div>
+|   "Hello"
+|   <script>
+|     "World"
+|   "xxx"
+
+#data
+<svg>Hello<script>World</script>xxx
+#document
+| <svg svg>
+|   "Hello"
+|   <svg script>
+|     "World"
+|   "xxx"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#document
+| <img>
+|   onclick="2+2"
+|   one="two"
+|   src="https://bla.com/blubb"
+
+#data
+<img src="https://bla.com/blubb" onclick="2+2" one="two">
+#config
+{ "attributes": ["src", "onclick", "one"]}
+#document
+| <img>
+|   onclick="2+2"
+|   one="two"
+|   src="https://bla.com/blubb"
+