erp5_web_js_style_test: xxx xss test

bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleNoStyleXSS.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>content_type</string> </key>
+            <value> <string>text/html</string> </value>
+        </item>
+        <item>
+            <key> <string>expand</string> </key>
+            <value> <int>0</int> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>testJsStyleNoStyleXSS</string> </value>
+        </item>
+        <item>
+            <key> <string>output_encoding</string> </key>
+            <value> <string>utf-8</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <unicode></unicode> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleNoStyleXSS.zpt

+<html xmlns:tal="http://xml.zope.org/namespaces/tal"
+      xmlns:metal="http://xml.zope.org/namespaces/metal">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Test JS Style No Style</title>
+</head>
+<body>
+<table cellpadding="1" cellspacing="1" border="1">
+<thead>
+<tr><td rowspan="1" colspan="3">Test JS Style No Style</td></tr>
+</thead><tbody>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
+
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=xss</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+
+
+<!-- Initialize -->
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>assertElementNotPresent</td>
+  <td>//head/link[@rel='prerender']</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/link[@rel='alternate' and @type='application/rss+xml' and @href='feed.rss']</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//head/link[@rel='stylesheet' and @href='jsstyle.css']</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/link[@rel='stylesheet' and @href='jsstyle.css']</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>assertElementPresent</td>
+  <td>//nav[@id='sitemap']/a[text()='No Style']</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>assertElementPresent</td>
+  <td>//nav[@id='language']//a[@hreflang='en']</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>assertElementPresent</td>
+  <td>//aside[@id='document_list']//ul[@class="h-feed"]//li[@class="h-entry"]//div[@class="e-content"]//h2[@class="p-name" and text()='erp5_web_js_style_test_contentpage title']</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//aside[@id='document_list']//ul[@class="h-feed"]//li[@class="h-entry"]//div[@class="e-content"]//p[@class="p-summary" and text()='erp5_web_js_style_test_contentpage description']</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//aside[@id='document_list']//ul[@class="h-feed"]//li[@class="h-entry"]//p[@class="p-author h-card" and text()='erp5_web_js_style_test_contributor']</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//aside[@id='document_list']//ul[@class="h-feed"]//li[@class="h-entry"]//a[@class="u-url" and @rel='permalink' and contains(@href, 'web_site_module/erp5_web_js_style_test_site/erp5_web_js_style_test_contentpage')]//time[@class="dt-published" and contains(@datetime, 'T')]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>assertElementPresent</td>
+  <td>//div[@class='input']/span[@class='headline' and text()='No Style']</td>
+  <td></td>
+</tr>
+
+</tbody></table>
+</body>
+</html>
\ No newline at end of file

bt5/erp5_web_js_style_test/SkinTemplateItem/portal_skins/erp5_web_js_style_test/ERP5Site_createWebJSStyleZuiteTestData.py

@@ -34,6 +34,9 @@ web_page_content_en_id = "erp5_web_js_style_test_contentpage_en"
 web_page_content_fr_id = "erp5_web_js_style_test_contentpage_fr"
 web_page_content_zh_id = "erp5_web_js_style_test_contentpage_zh"
 
+web_page_xss_content_en_id = "erp5_web_js_style_test_xss_contentpage_en"
+web_page_xss_content_reference = '<script>alert("xss reference")</script>'
+
 publicate_date = DateTime('2011/12/13 11:22:33 GMT+5')
 
 ### English web page
@@ -151,7 +154,28 @@ web_page = module.newContent(
 )
 portal.portal_workflow.doActionFor(web_page, 'publish_action')
 
+### English xss web page
+module = portal.getDefaultModule(web_page_portal_type)
+if getattr(module, web_page_xss_content_en_id, None) is not None:
+  module.manage_delObjects([web_page_xss_content_en_id])
+web_page = module.newContent(
+  portal_type=web_page_portal_type,
+  id=web_page_xss_content_en_id,
+  reference=web_page_xss_content_reference,
+  contributor_value=contributor,
+  language="en",
+  version="001",
+  text_content="""
+<script>alert("xss content")</script>
+"""
+)
+portal.portal_workflow.doActionFor(web_page, 'publish_action')
+
 configuration_dict = {
+  'xss': {
+    'title': '<script>alert("xss")</script>',
+    'site_map_section_parent': True
+  },
   'nostyle': {
     'title': 'No Style',
     'site_map_section_parent': True
@@ -251,7 +275,10 @@ web_site = module.newContent(
   criterion_property_list=('reference',),
   **configuration_dict[configuration]
 )
-web_site.setCriterion('reference', identity='erp5_web_js_style_test_contentpage')
+if configuration == 'xss':
+  web_site.setCriterion('reference', identity=web_page_xss_content_reference)
+else:
+  web_site.setCriterion('reference', identity=web_page_content_reference)
 
 web_section = web_site.newContent(
   portal_type=web_section_portal_type,
@@ -284,4 +311,13 @@ if configuration == 'form':
     custom_render_method_id='WebSite_viewJSStyleTestDialog'
   )
 
+if configuration == 'xss':
+  web_site.newContent(
+    portal_type=web_section_portal_type,
+    id='%s4' % web_section_id_prefix,
+    aggregate_value=web_site.getAggregateValue(),
+    title='<script>alert("xss section")</script>',
+    visible=True
+  )
+
 return "Web Site created."