Open DinisCruz opened 8 years ago
Not sure if I understand the question 100% right. What exactly do you mean?
At the moment it looks like the tests are designed to show that the popup does not happen
$('#append').append('<li>#append XSS from HTML string</li><iframe/onload=alert(2.1)>', '<iframe/onload=alert(2.2)>');
right?
Yep, exactly. You want it the other way round, correct?
for the cases where it is exploitable, yes we should be testing that the alert was called
So, what is needed from our side?
@cure53 check this test out
https://github.com/OWASP/Maturity-Models/issues/153#issuecomment-234985203
a 'jquery variation of that' should work here right?
That should make the tests more solid, since as I'm reading it, the way to check if jPurify is working is to run it and confirm that no popup test is running (right?)
Are there tests that show those sinks actually triggering the javascript execution?