DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (5b81998bb7ab)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140
<!DOCTYPE HTML>
<html>
<head>
  <title>Test for Login Manager</title>
  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>  
  <script type="text/javascript" src="pwmgr_common.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
Login Manager test: 360493
<p id="display"></p>
<div id="content" style="display: none">

  <!-- normal form with normal relative action. -->
  <form id="form1" action="formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL -->
  <form id="form2" action="http://mochi.test:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL, and change the path -->
  <form id="form3" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- fully specify the action URL, and change the path and filename -->
  <form id="form4" action="http://mochi.test:8888/zomg/wtf/bbq/passwordmgr/test/not_a_test.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- specify the action URL relative to the current document-->
  <form id="form5" action="./formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- specify the action URL relative to the current server -->
  <form id="form6" action="/tests/toolkit/components/passwordmgr/test/formtest.js">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- Change the method from get to post -->
  <form id="form7" action="formtest.js" method="POST">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- Blank action URL specified -->
  <form id="form8" action="">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- |action| attribute entirely missing -->
  <form id="form9" >
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- action url as javascript -->
  <form id="form10" action="javascript:alert('this form is not submitted so this alert should not be invoked');">
    <input  type="text"       name="uname">
    <input  type="password"   name="pword">

    <button type="submit">Submit</button>
    <button type="reset"> Reset </button>
  </form>

  <!-- TODO: action=IP.ADDRESS instead of HOSTNAME? -->
  <!-- TODO: test with |base href="http://othersite//"| ? -->
</div>
<pre id="test">
<script class="testbody" type="text/javascript">

/** Test for Login Manager: 360493 (Cross-Site Forms + Password
    Manager = Security Failure) **/

// This test is designed to make sure variations on the form's |action|
// and |method| continue to work with the fix for 360493.

commonInit();

function startTest() {
  for (var i = 1; i <= 9; i++) {
    // Check form i
    is($_(i, "uname").value, "testuser", "Checking for filled username " + i);
    is($_(i, "pword").value, "testpass", "Checking for filled password " + i);
  }

  // The login's formSubmitURL isn't "javascript:", so don't fill it in.
  isnot($_(10, "uname"), "testuser", "Checking username w/ JS action URL");
  isnot($_(10, "pword"), "testpass", "Checking password w/ JS action URL");

  SimpleTest.finish();
}

window.onload = startTest;

SimpleTest.waitForExplicitFinish();

</script>
</pre>
</body>
</html>