LayoutTests/js/taintedness-innerhtml.html - external/github.com/WebKit/webkit - Git at Google

 <!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] -->
 <html>
 <head>
 <script src="../resources/js-test.js"></script>
 </head>
 <body>
 <div id="foo"></div>
 <script>
     description("Test taintedness is tracked via several ways to inject scripts in WebCore");
     // jsTestIsAsync = true;


     let foo = document.getElementById("foo");

     shouldBeKnownTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'KnownTainted\\')";
     shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')";
     shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')";
     // state is IndirectlyTainted because the function itself is created in the innerHTML function not the runTaintedString call and we don't have a JS frame on the stack for taintedness tracking as this is executed as JSONP.
     $vm.runTaintedString(`
         foo.innerHTML = '<img src="x" onerror="${shouldBeIndirectlyTaintedString}" />;';
     `);

     setTimeout(() => {
         shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
         $vm.runTaintedString(`
             let some_script = document.createElement("script");
             some_script.type = "text/javascript";
             some_script.text = "${shouldBeKnownTaintedString}";
             document.body.appendChild(some_script);
         `);
     });

     setTimeout(() => {
         shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
         $vm.runTaintedString(`
             globalThis.some_script = document.createElement("script");
             globalThis.some_script.type = "text/javascript";
             globalThis.some_script.text = "${shouldBeIndirectlyTaintedString}";
         `);
         document.body.appendChild(globalThis.some_script);
     });

 </script>
 </body>
 </html>
	<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--useDollarVM=true ] -->
	<html>
	<head>
	<script src="../resources/js-test.js"></script>
	</head>
	<body>
	<div id="foo"></div>
	<script>
	description("Test taintedness is tracked via several ways to inject scripts in WebCore");
	// jsTestIsAsync = true;


	let foo = document.getElementById("foo");

	shouldBeKnownTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'KnownTainted\\')";
	shouldBeIndirectlyTaintedString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTainted\\')";
	shouldBeIndirectlyTaintedByHistoryString = "shouldBeEqualToString(\\'$vm.vmTaintedState()\\', \\'IndirectlyTaintedByHistory\\')";
	// state is IndirectlyTainted because the function itself is created in the innerHTML function not the runTaintedString call and we don't have a JS frame on the stack for taintedness tracking as this is executed as JSONP.
	$vm.runTaintedString(`
	foo.innerHTML = '<img src="x" onerror="${shouldBeIndirectlyTaintedString}" />;';
	`);

	setTimeout(() => {
	shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
	$vm.runTaintedString(`
	let some_script = document.createElement("script");
	some_script.type = "text/javascript";
	some_script.text = "${shouldBeKnownTaintedString}";
	document.body.appendChild(some_script);
	`);
	});

	setTimeout(() => {
	shouldBeEqualToString("$vm.vmTaintedState()", "Untainted");
	$vm.runTaintedString(`
	globalThis.some_script = document.createElement("script");
	globalThis.some_script.type = "text/javascript";
	globalThis.some_script.text = "${shouldBeIndirectlyTaintedString}";
	`);
	document.body.appendChild(globalThis.some_script);
	});

	</script>
	</body>
	</html>