StringTest=xss error

[BryceAG]

Test device: Bates Operating System: Windows 7 Browser: Chrome Problem description: only shows graph line Steps to reproduce: use stringTest=xss Severity:

Screenshots: I couldn't even get to report a problem, so I used the report a problem form the general RC test without string Tests. The troubleshooting information may be off.

Troubleshooting information (do not edit): Name: ‪Atomic Interactions‬ URL: http://www.colorado.edu/physics/phet/dev/html/atomic-interactions/1.0.0-rc.1/atomic-interactions_en.html Version: 1.0.0-rc.1 2016-09-09 17:02:59 UTC Features missing: touch User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.101 Safari/537.36 Language: en-US Window: 1366x662 Pixel Ratio: 1/1 WebGL: WebGL 1.0 (OpenGL ES 2.0 Chromium) GLSL: WebGL GLSL ES 1.0 (OpenGL ES GLSL ES 1.0 Chromium) Vendor: WebKit (WebKit WebGL) Vertex: attribs: 16 varying: 10 uniform: 253 Texture: size: 8192 imageUnits: 16 (vertex: 16, combined: 32) Max viewport: 4096x4096 OES_texture_float: true Dependencies JSON: {"assert":{"sha":"7d27130a","branch":"HEAD"},"atomic-interactions":{"sha":"1c14ec28","branch":"HEAD"},"axon":{"sha":"b4404f00","branch":"HEAD"},"babel":{"sha":"b7c92df4","branch":"master"},"brand":{"sha":"f0b1f7da","branch":"HEAD"},"chipper":{"sha":"794fb3bc","branch":"HEAD"},"dot":{"sha":"23b13772","branch":"HEAD"},"joist":{"sha":"e62721dd","branch":"HEAD"},"kite":{"sha":"3b656b9a","branch":"HEAD"},"nitroglycerin":{"sha":"ad3cb990","branch":"HEAD"},"phet-core":{"sha":"c48bf320","branch":"HEAD"},"phetcommon":{"sha":"83ea84c8","branch":"HEAD"},"scenery":{"sha":"cee9ad57","branch":"HEAD"},"scenery-phet":{"sha":"9d87b624","branch":"HEAD"},"sherpa":{"sha":"bcc28cd6","branch":"HEAD"},"states-of-matter":{"sha":"2bb9be2a","branch":"HEAD"},"sun":{"sha":"10af95af","branch":"HEAD"},"tandem":{"sha":"4a8edbc9","branch":"HEAD"}}

related to phetsims/tasks#693

[brroberts1231]

Also happens on Win 8 Chrome and Firefox

[phet-steele]

@jbphet, here's some helpful information. ?stringTest=%20 has exactly the same effect as the above screenshot.

[phet-steele]

In case you want it, I got it:

Troubleshooting information: Name: URL: http://www.colorado.edu/physics/phet/dev/html/atomic-interactions/1.0.0-rc.1/atomic-interactions_en.html?stringTest=%20 Version: 1.0.0-rc.1 2016-09-09 17:02:59 UTC Features missing: touch Flags: pixelRatioScaling User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36 Language: en-US Window: 1388x1000 Pixel Ratio: 2/1 WebGL: WebGL 1.0 (OpenGL ES 2.0 Chromium) GLSL: WebGL GLSL ES 1.0 (OpenGL ES GLSL ES 1.0 Chromium) Vendor: WebKit (WebKit WebGL) Vertex: attribs: 16 varying: 32 uniform: 1024 Texture: size: 16384 imageUnits: 16 (vertex: 16, combined: 16) Max viewport: 16384x16384 OES_texture_float: true Dependencies JSON: {"assert":{"sha":"7d27130a","branch":"HEAD"},"atomic-interactions":{"sha":"1c14ec28","branch":"HEAD"},"axon":{"sha":"b4404f00","branch":"HEAD"},"babel":{"sha":"b7c92df4","branch":"master"},"brand":{"sha":"f0b1f7da","branch":"HEAD"},"chipper":{"sha":"794fb3bc","branch":"HEAD"},"dot":{"sha":"23b13772","branch":"HEAD"},"joist":{"sha":"e62721dd","branch":"HEAD"},"kite":{"sha":"3b656b9a","branch":"HEAD"},"nitroglycerin":{"sha":"ad3cb990","branch":"HEAD"},"phet-core":{"sha":"c48bf320","branch":"HEAD"},"phetcommon":{"sha":"83ea84c8","branch":"HEAD"},"scenery":{"sha":"cee9ad57","branch":"HEAD"},"scenery-phet":{"sha":"9d87b624","branch":"HEAD"},"sherpa":{"sha":"bcc28cd6","branch":"HEAD"},"states-of-matter":{"sha":"2bb9be2a","branch":"HEAD"},"sun":{"sha":"10af95af","branch":"HEAD"},"tandem":{"sha":"4a8edbc9","branch":"HEAD"}}

[pixelzoom]

Some other useful information, from Skype thread:

[9/19/16, 11:31:54 AM] John Blanco: Atomic Interactions is having a similar issue, though it's not hanging. I recall that we'd said before that as long as the sim doesn't redirect it passes the test, but I don't think we'd considered the case of hanging on startup. [9/19/16, 11:32:10 AM] Chris Malley: What are the symptoms in AI? [9/19/16, 11:32:51 AM] John Blanco: https://github.com/phetsims/atomic-interactions/issues/58 [9/19/16, 11:33:07 AM] Chris Malley: Testing a few other sims... Concentration experiences an uncaught Error in scenery.Path. [9/19/16, 11:33:37 AM] Chris Malley: What am I looking at in that AI issue? [9/19/16, 11:33:48 AM] Chris Malley: ... the screenshot. Is that how it's supposed to look? [9/19/16, 11:34:48 AM] John Blanco: Basically that the sim doesn't start up properly. [9/19/16, 11:35:05 AM] Chris Malley: so it's drawing some garbage but otherwise hangs? [9/19/16, 11:35:28 AM] Chris Malley: or is that red squiggly line meaningful? [9/19/16, 11:36:10 AM] John Blanco: Yes, the squiggly is a canvas that generally represents the interaction potential on the graph, but it's the only thing that gets rendered. [9/19/16, 11:36:27 AM] John Blanco: And nothing appears on the console. [9/19/16, 11:36:34 AM] Chris Malley: ditto for plinko [9/19/16, 11:36:54 AM] John Blanco: The code checklist says, "Does the sim stay on the sim page (doesn't redirect to an external page) when running with the query parameter" [9/19/16, 11:37:10 AM] Chris Malley: and the browser (Chrome anyway) needs to be killed, because it's unresponsive. [9/19/16, 11:37:46 AM] John Blanco: That's not the case for Chrome for me when testing AI

[jbphet]

The code checklist says, "Does the sim stay on the sim page (doesn't redirect to an external page) when running with the query parameter". So, strictly speaking, this version of the sim passes the test, even though it is not rendering correctly. We are going to discuss how to deal with the xss string test in an upcoming developer meeting to improve the test and clarify what constitutes passing and failing of the test.

I'm going to mark this as "won't fix" and close it, since the sim is essentially is passing the test and since the only time we would encounter the problems described above is if a translator tried something malicious.