From 709238294ea83525e62476ce59d734c57c11fd3f Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Fri, 4 Mar 2022 18:14:55 +0100
Subject: fix setting of 'blocked-blocked<...>-<name>' attributes and add tests

---
 .../data/pages/scripts_to_block_1.html             |  3 ++-
 test/haketilo_test/unit/test_policy_enforcing.py   | 29 ++++++++++++++--------
 2 files changed, 21 insertions(+), 11 deletions(-)

(limited to 'test')

diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html
index 164979d..e7793ee 100644
--- a/test/haketilo_test/data/pages/scripts_to_block_1.html
+++ b/test/haketilo_test/data/pages/scripts_to_block_1.html
@@ -30,7 +30,8 @@
   </head>
   <body>
     <button id="clickme1"
-	    onclick="window.__run = [...(window.__run || []), 'on'];">
+	    onclick="window.__run = [...(window.__run || []), 'on'];"
+	    blocked-onclick="some useful data">
       Click Meee!
     </button>
     <a id="clickme2"
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py
index 4b7c173..c5dd20e 100644
--- a/test/haketilo_test/unit/test_policy_enforcing.py
+++ b/test/haketilo_test/unit/test_policy_enforcing.py
@@ -75,6 +75,23 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
     """
     A test case of sanitizing <script>s and intrinsic javascript in pages.
     """
+    def assert_properly_blocked():
+        for i in range(1, 3):
+            driver.find_element_by_id(f'clickme{i}').click()
+
+        assert set(driver.execute_script('return window.__run || [];')) == set()
+        assert bool(csp_off_setting) == are_scripts_allowed(driver)
+
+        for attr in ('onclick', 'href', 'src', 'data'):
+            elem = driver.find_element_by_css_selector(f'[blocked-{attr}]')
+
+            assert 'blocked' in elem.get_attribute(attr)
+            assert '__run = [...(' in elem.get_attribute(f'blocked-{attr}')
+
+        but1 = driver.find_element_by_id('clickme1')
+        assert but1.get_attribute('blocked-blocked-onclick') == \
+            "some useful data"
+
     # First, see if scripts run when not blocked.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
         'policy': allow_policy,
@@ -94,11 +111,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
         **csp_off_setting
     })
 
-    for i in range(1, 3):
-        driver.find_element_by_id(f'clickme{i}').click()
-
-    assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert bool(csp_off_setting) == are_scripts_allowed(driver)
+    assert_properly_blocked()
 
     # Now, verify only scripts with nonce can run when payload is injected.
     get(driver, 'https://gotmyowndoma.in/scripts_to_block_1.html', {
@@ -106,9 +119,5 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
         **csp_off_setting
     })
 
-    for i in range(1, 3):
-        driver.find_element_by_id(f'clickme{i}').click()
-
-    assert set(driver.execute_script('return window.__run || [];')) == set()
-    assert bool(csp_off_setting) == are_scripts_allowed(driver)
+    assert_properly_blocked()
     assert are_scripts_allowed(driver, nonce)
-- 
cgit v1.2.3