1.0.0-rc.1 fails ?stringTest=xss

[phet-steele]

You get redirected with this http://www.colorado.edu/physics/phet/dev/html/unit-rates/1.0.0-rc.1/unit-rates_en.html?stringTest=xss

NOT an issue in the most recent dev version http://www.colorado.edu/physics/phet/dev/html/unit-rates/1.0.0-dev.74/unit-rates_en.html?stringTest=xss

Seen on macOS 10.12.4 browsers. For phetsims/tasks/issues/809. Troubleshooting info from a version without the query parameter:

URL: http://www.colorado.edu/physics/phet/dev/html/unit-rates/1.0.0-rc.1/unit-rates_en.html Version: 1.0.0-rc.1 2017-04-03 16:25:51 UTC Features missing: touch Flags: pixelRatioScaling User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Language: en-US Window: 1920x1013 Pixel Ratio: 2/1 WebGL: WebGL 1.0 (OpenGL ES 2.0 Chromium) GLSL: WebGL GLSL ES 1.0 (OpenGL ES GLSL ES 1.0 Chromium) Vendor: WebKit (WebKit WebGL) Vertex: attribs: 16 varying: 32 uniform: 1024 Texture: size: 16384 imageUnits: 16 (vertex: 16, combined: 80) Max viewport: 16384x16384 OES_texture_float: true Dependencies JSON: {"assert":{"sha":"a707328c","branch":"HEAD"},"axon":{"sha":"f7720d0e","branch":"HEAD"},"babel":{"sha":"2c0b8738","branch":"master"},"brand":{"sha":"b6bdbc2b","branch":"HEAD"},"chipper":{"sha":"52c3aa33","branch":"HEAD"},"dot":{"sha":"569939e1","branch":"HEAD"},"joist":{"sha":"c5a63104","branch":"HEAD"},"kite":{"sha":"81166ce9","branch":"HEAD"},"phet-core":{"sha":"c5c6c2a8","branch":"HEAD"},"phetcommon":{"sha":"85801e7b","branch":"HEAD"},"query-string-machine":{"sha":"d8a4ff18","branch":"HEAD"},"scenery":{"sha":"b8b09445","branch":"HEAD"},"scenery-phet":{"sha":"6213dc27","branch":"HEAD"},"sherpa":{"sha":"3255de0f","branch":"HEAD"},"sun":{"sha":"81abf142","branch":"HEAD"},"tandem":{"sha":"a668abd5","branch":"HEAD"},"twixt":{"sha":"d35abfaf","branch":"HEAD"},"unit-rates":{"sha":"28bf4fae","branch":"HEAD"}}

[phet-steele]

@pixelzoom hold up, this is not sim specific. A recent change in a common repo must have broken this.

[jessegreenberg]

Gah, sorry, a change I made is the cause of this. This is happening because the xss string is being added as innerHTML on elements that are in the DOM for accessibility. I am about to commit a fix.

[pixelzoom]

@jessegreenberg Which repository is affected? Is this something that can be easily patched in the release branch?

[jessegreenberg]

scenery, I created an issue above.

[pixelzoom]

@phet-steele Please pause this RC test. We'll probably need to start over, because this looks like something that I can't patch in the release branch.

[jessegreenberg]

This should be fixed with the above commit, ?stringTest=xss no longer redirects to another page.

[pixelzoom]

Verified in master. Closing.

@phet-steele We're going to abort the 1.0.0-rc.1 and start over. Stand by.