cure53
commented
8 years ago Not sure if I understand the question 100% right. What exactly do you mean?
Open DinisCruz opened 8 years ago
cure53
commented
8 years ago Not sure if I understand the question 100% right. What exactly do you mean?
DinisCruz
commented
8 years ago At the moment it looks like the tests are designed to show that the popup does not happen
$('#append').append('<li>#append XSS from HTML string</li><iframe/onload=alert(2.1)>', '<iframe/onload=alert(2.2)>');right?
cure53
commented
8 years ago Yep, exactly. You want it the other way round, correct?
DinisCruz
commented
8 years ago for the cases where it is exploitable, yes we should be testing that the alert was called
cure53
commented
8 years ago So, what is needed from our side?
DinisCruz
commented
8 years ago @cure53 check this test out
https://github.com/OWASP/Maturity-Models/issues/153#issuecomment-234985203
a 'jquery variation of that' should work here right?
That should make the tests more solid, since as I'm reading it, the way to check if jPurify is working is to run it and confirm that no popup test is running (right?)
Are there tests that show those sinks actually triggering the javascript execution?