| <html> |
| <body> |
| <p>Test that setRequestHeader properly checks for invalid characters in header values.</p> |
| <script> |
| if (window.testRunner) |
| testRunner.dumpAsText(); |
| |
| function test(val) { |
| var req = new XMLHttpRequest; |
| req.open("GET", "resources/print-headers.cgi", false); |
| |
| try { |
| req.setRequestHeader("Test", val); |
| } catch (ex) { |
| document.write("<p>" + escape(val) + " -> SUCCESS, setRequestHeader() raised an exception " + ex + "</p>"); |
| return; |
| } |
| |
| try { |
| req.send(""); |
| if (req.responseText.match("HTTP_EVIL")) |
| document.write("<p>" + escape(val) + " -> FAILURE - evil header injected!</p>"); |
| else |
| document.write("<p>" + escape(val) + " -> setRequestHeader() didn't throw, but server didn't see the evil header.</p>"); |
| |
| } catch (ex) { |
| alert("Unexpected exception: " + ex); |
| } |
| } |
| |
| test("\nE\nvil: on"); |
| test("\rE\rvil: on"); |
| test("\r\nEvil\r\n: on"); |
| test("\n\rEvil\r\n: on"); |
| test("\r\nEvil: o\0n\n\r"); |
| </script> |
| </body> |
| </html> |
