| <!DOCTYPE html><html><head></head><body><iframe id="x" name="x" src="/security/xssAuditor/resources/echo-intertag.pl?q=%3cscript%3ealert(/xss/)%3c/script%3e"></iframe> |
| <script> |
| var frame = document.getElementById('x'); |
| if (window.testRunner) { |
| testRunner.waitUntilDone(); |
| testRunner.setXSSAuditorEnabled(true); |
| testRunner.dumpAsMarkup(); |
| testRunner.dumpChildFrames(); |
| testRunner.setViewSourceForFrame('x', true); |
| frame.onload = testRunner.notifyDone.bind(testRunner); |
| } |
| frame.src = '/security/xssAuditor/resources/echo-intertag.pl?q=%3cscript%3ealert(/xss/)%3c/script%3e'; |
| </script> |
| <p>This test passes if the iframe is rendered in view-source mode such that script doesn't execute and |
| instead the "alert(/xss/)" is in a highlighted span.</p> |
| |
| </body></html> |
| |
| -------- |
| Frame: 'x' |
| -------- |
| <html><head></head><body><div class="line-gutter-backdrop"></div><table><tbody><tr><td class="line-number" value="1"></td><td class="line-content"><span class="html-doctype"><!DOCTYPE html></span></td></tr><tr><td class="line-number" value="2"></td><td class="line-content"><span class="html-tag"><html></span></td></tr><tr><td class="line-number" value="3"></td><td class="line-content"><span class="html-tag"><body></span></td></tr><tr><td class="line-number" value="4"></td><td class="line-content"><span class="html-tag"><script></span><span class="highlight" title="Token contains a reflected XSS vector">alert(/xss/)</span><span class="html-tag"></script></span>Page rendered here.</td></tr><tr><td class="line-number" value="5"></td><td class="line-content"><span class="html-tag"></body></span></td></tr><tr><td class="line-number" value="6"></td><td class="line-content"><span class="html-tag"></html></span></td></tr><tr><td class="line-number" value="7"></td><td class="line-content"><span class="html-end-of-file"></span></td></tr></tbody></table></body></html> |