From 709238294ea83525e62476ce59d734c57c11fd3f Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Fri, 4 Mar 2022 18:14:55 +0100
Subject: fix setting of 'blocked-blocked<...>-<name>' attributes and add tests

---
 content/policy_enforcing.js                        |  4 +--
 .../data/pages/scripts_to_block_1.html             |  3 ++-
 test/haketilo_test/unit/test_policy_enforcing.py   | 29 ++++++++++++++--------
 3 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js
index 0bbe3c6..29990b8 100644
--- a/content/policy_enforcing.js
+++ b/content/policy_enforcing.js
@@ -118,12 +118,12 @@ function block_attribute(node, attr, ns=null, replace_with=null) {
      * relatively easily accessed in case they contain some useful data.
      */
     const construct_name = [attr];
-    while (hasa(node, construct_name.join("")))
+    while (hasa(node, construct_name.join("-")))
 	construct_name.unshift(blocked_str);
 
     while (construct_name.length > 1) {
 	construct_name.shift();
-	const name = construct_name.join("");
+	const name = construct_name.join("-");
 	seta(node, `${blocked_str}-${name}`, geta(node, name));
     }
 
diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html
index 164979d..e7793ee 100644
--- a/test/haketilo_test/data/pages/scripts_to_block_1.html
+++ b/test/haketilo_test/data/pages/scripts_to_block_1.html
@@ -30,7 +30,8 @@
   </head>
   <body>
     <button id="clickme1"
-	    onclick="window.__run = [...(window.__run || []), 'on'];">
+	    onclick="window.__run = [...(window.__run || []), 'on'];"
+	    blocked-onclick="some useful data">
       Click Meee!
     </button>
     <a id="clickme2"
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py
index 4b7c173..c5dd20e 100644
--- a/test/haketilo_test/unit/test_policy_enforcing.py
+++ b/test/haketilo_test/unit/test_policy_enforcing.py
@@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
     """
     A test case of sanitizing <script>s and intrinsic javascript in pages.
     """
+    def assert_properly_blocked():
+        for i in range(1, 3):
+            driver.find_element_by_id(f'clickme{i}').click()
+
+        assert set(driver.execute_script('return window.__run || [];')) == set()
+        assert bool(csp_off_setting) == are_scripts_allowed(driver)
+
+        for attr in ('onclick', 'href', 'src', 'data'):
+            elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')
+
+            assert 'blocked' in elem.get_attribute(attr)
+            assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')
+
+        but1 = driver.find_element_by_id('clickme1')
+        assert but1.get_attribute('blocked-blocked-onclick') == \
+            "some useful data"
+
     # First, see if scripts run when not blocked.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
         'policy': allow_policy,
@@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
         **csp_off_setting
     })
 
-    for i in range(1, 3):
-        driver.find_element_by_id(f'clickme{i}').click()
-
-    assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert bool(csp_off_setting) == are_scripts_allowed(driver)
+    assert_properly_blocked()
 
     # Now, verify only scripts with nonce can run when payload is injected.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
@@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
         **csp_off_setting
     })
 
-    for i in range(1, 3):
-        driver.find_element_by_id(f'clickme{i}').click()
-
-    assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert bool(csp_off_setting) == are_scripts_allowed(driver)
+    assert_properly_blocked()
     assert are_scripts_allowed(driver, nonce)
-- 
cgit v1.2.3