ember-cli-fastboot/test-packages/test-scenarios/fastboot-shoebox-test.mjs at 8a5fcc825ad5ade145c2cbc94447f0ec8461534b · ember-fastboot/ember-cli-fastboot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import qunit from 'qunit';
import { merge } from 'lodash-es';
import { expect } from 'chai';

import { appScenarios } from './scenarios.mjs';
import buildFastboot from './helpers/build-fastboot.mjs';

const { module: Qmodule, test } = qunit;

appScenarios
  .map('fastboot-shoebox-test', (project) => {
    merge(project.files, {
      app: {
        routes: {
          'application.js': `import Route from '@ember/routing/route';
          import { service } from '@ember/service'

          export default class ApplicationRoute extends Route {
            @service fastboot;

            model() {
              const fastboot = this.fastboot;
              var shoebox = fastboot.shoebox;
              if (fastboot.isFastBoot) {
                shoebox.put('key1', { foo: 'bar' });
                shoebox.put('key2', { zip: 'zap' });
                shoebox.put('key3', { htmlSpecialCase: 'R&B > Jazz' });
                shoebox.put('key4', { nastyScriptCase: "<script>alert('owned');</script></script></script>" });
                shoebox.put('key5', { otherUnicodeChars: '&&>><<\u2028\u2028\u2029\u2029' });
              }
            }
          }`,
        },
      },
    });
  })
  .forEachScenario((scenario) => {
    Qmodule(scenario.name, function (hooks) {
      let app; // PreparedApp
      let fastboot;

      hooks.before(async () => {
        app = await scenario.prepare();
        fastboot = await buildFastboot(app);
      });

      test('can render the escaped shoebox HTML', async function (assert) {
        // we ported the tests directly from mocha so we're re-using the expect style
        assert.expect(0);

        const html = await fastboot.visit('/').then((r) => r.html());

        expect(html).to.match(
          /<script type="fastboot\/shoebox" id="shoebox-key1">{"foo":"bar"}<\/script>/
        );
        expect(html).to.match(
          /<script type="fastboot\/shoebox" id="shoebox-key2">{"zip":"zap"}<\/script>/
        );

        // Special characters are JSON encoded, most notably the </script sequence.
        expect(html).to.include(
          '<script type="fastboot/shoebox" id="shoebox-key4">{"nastyScriptCase":"\\u003cscript\\u003ealert(\'owned\');\\u003c/script\\u003e\\u003c/script\\u003e\\u003c/script\\u003e"}</script>'
        );

        expect(html).to.include(
          '<script type="fastboot/shoebox" id="shoebox-key5">{"otherUnicodeChars":"\\u0026\\u0026\\u003e\\u003e\\u003c\\u003c\\u2028\\u2028\\u2029\\u2029"}</script>'
        );
      });

      test('can render the escaped shoebox HTML with shouldRender set to false', async function (assert) {
        // we ported the tests directly from mocha so we're re-using the expect style
        assert.expect(0);

        const html = await fastboot
          .visit('/', {
            shouldRender: false,
          })
          .then((r) => r.html());

        expect(html).to.match(
          /<script type="fastboot\/shoebox" id="shoebox-key1">{"foo":"bar"}<\/script>/
        );
        expect(html).to.match(
          /<script type="fastboot\/shoebox" id="shoebox-key2">{"zip":"zap"}<\/script>/
        );

        // Special characters are JSON encoded, most notably the </script sequence.
        expect(html).to.include(
          '<script type="fastboot/shoebox" id="shoebox-key4">{"nastyScriptCase":"\\u003cscript\\u003ealert(\'owned\');\\u003c/script\\u003e\\u003c/script\\u003e\\u003c/script\\u003e"}</script>'
        );

        expect(html).to.include(
          '<script type="fastboot/shoebox" id="shoebox-key5">{"otherUnicodeChars":"\\u0026\\u0026\\u003e\\u003e\\u003c\\u003c\\u2028\\u2028\\u2029\\u2029"}</script>'
        );
      });

      test('cannot render the escaped shoebox HTML when disableShoebox is set to true', async function (assert) {
        // we ported the tests directly from mocha so we're re-using the expect style
        assert.expect(0);

        const html = await fastboot
          .visit('/', {
            disableShoebox: true,
          })
          .then((r) => r.html());

        expect(html).to.not.match(
          /<script type="fastboot\/shoebox" id="shoebox-key1">{"foo":"bar"}<\/script>/
        );
        expect(html).to.not.match(
          /<script type="fastboot\/shoebox" id="shoebox-key2">{"zip":"zap"}<\/script>/
        );

        // Special characters are JSON encoded, most notably the </script sequence.
        expect(html).to.not.include(
          '<script type="fastboot/shoebox" id="shoebox-key4">{"nastyScriptCase":"\\u003cscript\\u003ealert(\'owned\');\\u003c/script\\u003e\\u003c/script\\u003e\\u003c/script\\u003e"}</script>'
        );

        expect(html).to.not.include(
          '<script type="fastboot/shoebox" id="shoebox-key5">{"otherUnicodeChars":"\\u0026\\u0026\\u003e\\u003e\\u003c\\u003c\\u2028\\u2028\\u2029\\u2029"}</script>'
        );
      });
    });
  });