fix: do not allow postMessage with axe version of x.y.z

lib/core/utils/respondable.js

@@ -47,10 +47,7 @@ function verify(postedMessage) {
     var messageSource = _getSource();
     return (
       // Check the version matches
-      postedMessage._source === messageSource ||
-      // Allow free communication with axe test
-      postedMessage._source === 'axeAPI.x.y.z' ||
-      messageSource === 'axeAPI.x.y.z'
+      postedMessage._source === messageSource
     );
   }
   return false;

test/core/base/audit.js

@@ -4,6 +4,7 @@ describe('Audit', function() {
 
   var Audit = axe._thisWillBeDeletedDoNotUse.base.Audit;
   var Rule = axe._thisWillBeDeletedDoNotUse.base.Rule;
+  var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
   var a, getFlattenedTree;
   var isNotCalled = function(err) {
     throw err || new Error('Reject should not be called');
@@ -115,7 +116,9 @@ describe('Audit', function() {
       audit._constructHelpUrls();
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
+          'https://dequeuniversity.com/rules/axe/' +
+          ver +
+          '/target?application=axeAPI'
       });
     });
     it('should use changed branding', function() {
@@ -131,7 +134,9 @@ describe('Audit', function() {
       audit._constructHelpUrls();
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI'
+          'https://dequeuniversity.com/rules/thing/' +
+          ver +
+          '/target?application=axeAPI'
       });
     });
     it('should use changed application', function() {
@@ -147,7 +152,9 @@ describe('Audit', function() {
       audit._constructHelpUrls();
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
+          'https://dequeuniversity.com/rules/axe/' +
+          ver +
+          '/target?application=thing'
       });
     });
 
@@ -159,7 +166,9 @@ describe('Audit', function() {
         selector: 'bob',
         metadata: {
           helpUrl:
-            'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+            'https://dequeuniversity.com/rules/myproject/' +
+            ver +
+            '/target1?application=axeAPI'
         }
       });
       audit.addRule({
@@ -170,7 +179,9 @@ describe('Audit', function() {
 
       assert.equal(
         audit.data.rules.target1.helpUrl,
-        'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+        'https://dequeuniversity.com/rules/myproject/' +
+          ver +
+          '/target1?application=axeAPI'
       );
       assert.isUndefined(audit.data.rules.target2);
 
@@ -180,11 +191,15 @@ describe('Audit', function() {
 
       assert.equal(
         audit.data.rules.target1.helpUrl,
-        'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+        'https://dequeuniversity.com/rules/myproject/' +
+          ver +
+          '/target1?application=axeAPI'
       );
       assert.equal(
         audit.data.rules.target2.helpUrl,
-        'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI'
+        'https://dequeuniversity.com/rules/thing/' +
+          ver +
+          '/target2?application=axeAPI'
       );
     });
     it('understands prerelease type version numbers', function() {
@@ -205,24 +220,7 @@ describe('Audit', function() {
         'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI'
       );
     });
-    it('sets x.y as version for invalid versions', function() {
-      var tempVersion = axe.version;
-      var audit = new Audit();
-      audit.addRule({
-        id: 'target',
-        matches: 'function () {return "hello";}',
-        selector: 'bob'
-      });
 
-      axe.version = 'in-3.0-valid';
-      audit._constructHelpUrls();
-
-      axe.version = tempVersion;
-      assert.equal(
-        audit.data.rules.target.helpUrl,
-        'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
-      );
-    });
     it('matches major release versions', function() {
       var tempVersion = axe.version;
       var audit = new Audit();
@@ -256,7 +254,9 @@ describe('Audit', function() {
       audit._constructHelpUrls();
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI&lang=de'
+          'https://dequeuniversity.com/rules/axe/' +
+          ver +
+          '/target?application=axeAPI&lang=de'
       });
     });
   });
@@ -296,7 +296,9 @@ describe('Audit', function() {
       });
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
+          'https://dequeuniversity.com/rules/axe/' +
+          ver +
+          '/target?application=thing'
       });
     });
     it('should call _constructHelpUrls even when nothing changed', function() {
@@ -311,7 +313,9 @@ describe('Audit', function() {
       audit.setBranding(undefined);
       assert.deepEqual(audit.data.rules.target, {
         helpUrl:
-          'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
+          'https://dequeuniversity.com/rules/axe/' +
+          ver +
+          '/target?application=axeAPI'
       });
     });
     it('should not replace custom set branding', function() {
@@ -322,7 +326,9 @@ describe('Audit', function() {
         selector: 'bob',
         metadata: {
           helpUrl:
-            'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
+            'https://dequeuniversity.com/rules/customer-x/' +
+            ver +
+            '/target?application=axeAPI'
         }
       });
       audit.setBranding({
@@ -331,7 +337,9 @@ describe('Audit', function() {
       });
       assert.equal(
         audit.data.rules.target.helpUrl,
-        'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
+        'https://dequeuniversity.com/rules/customer-x/' +
+          ver +
+          '/target?application=axeAPI'
       );
     });
   });

test/core/export.js

@@ -5,6 +5,6 @@ describe('export', function() {
     assert.isDefined(window.axe);
   });
   it('should define version', function() {
-    assert.equal(axe.version, 'x.y.z');
+    assert.isNotNull(axe.version);
   });
 });

test/core/public/configure.js

@@ -4,6 +4,7 @@ describe('axe.configure', function() {
   // var Check = axe._thisWillBeDeletedDoNotUse.base.Check;
   var fixture = document.getElementById('fixture');
   var axeVersion = axe.version;
+  var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
   afterEach(function() {
     fixture.innerHTML = '';
@@ -96,7 +97,7 @@ describe('axe.configure', function() {
     assert.lengthOf(axe._audit.rules, 1);
     assert.equal(
       axe._audit.data.rules.bob.helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI'
     );
     axe.configure({
       branding: {
@@ -106,7 +107,9 @@ describe('axe.configure', function() {
     });
     assert.equal(
       axe._audit.data.rules.bob.helpUrl,
-      'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
+      'https://dequeuniversity.com/rules/thung/' +
+        ver +
+        '/bob?application=thing'
     );
   });
 
@@ -129,7 +132,9 @@ describe('axe.configure', function() {
 
     assert.equal(
       axe._audit.data.rules.bob.helpUrl,
-      'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
+      'https://dequeuniversity.com/rules/thung/' +
+        ver +
+        '/bob?application=thing'
     );
   });
 

test/core/public/get-rules.js

@@ -1,5 +1,6 @@
 describe('axe.getRules', function() {
   'use strict';
+  var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
   beforeEach(function() {
     axe._load({
@@ -46,7 +47,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[0].help, 'halp');
     assert.equal(
       retValue[0].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule1?application=axeAPI'
     );
     assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -55,7 +58,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[1].help, 'halp me!');
     assert.equal(
       retValue[1].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule2?application=axeAPI'
     );
     assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
 
@@ -67,7 +72,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[0].help, 'halp me!');
     assert.equal(
       retValue[0].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule2?application=axeAPI'
     );
     assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']);
   });
@@ -85,7 +92,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[0].help, 'halp');
     assert.equal(
       retValue[0].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule1?application=axeAPI'
     );
     assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -94,7 +103,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[1].help, 'halp me!');
     assert.equal(
       retValue[1].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule2?application=axeAPI'
     );
     assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
   });
@@ -106,7 +117,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[0].help, 'halp');
     assert.equal(
       retValue[0].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule1?application=axeAPI'
     );
     assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -115,7 +128,9 @@ describe('axe.getRules', function() {
     assert.equal(retValue[1].help, 'halp me!');
     assert.equal(
       retValue[1].helpUrl,
-      'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+      'https://dequeuniversity.com/rules/axe/' +
+        ver +
+        '/awesomeRule2?application=axeAPI'
     );
     assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
   });

test/core/public/run-rules.js

@@ -1,5 +1,6 @@
 describe('runRules', function() {
   'use strict';
+  var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
   // These tests can sometimes be flaky in IE, allow for up to 3 retries
   if (axe.testUtils.isIE11) {
@@ -206,7 +207,9 @@ describe('runRules', function() {
                 {
                   id: 'div#target',
                   helpUrl:
-                    'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
+                    'https://dequeuniversity.com/rules/axe/' +
+                    ver +
+                    '/div#target?application=axeAPI',
                   pageLevel: false,
                   impact: null,
                   inapplicable: [],
@@ -245,7 +248,9 @@ describe('runRules', function() {
                 {
                   id: 'first-div',
                   helpUrl:
-                    'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
+                    'https://dequeuniversity.com/rules/axe/' +
+                    ver +
+                    '/first-div?application=axeAPI',
                   pageLevel: false,
                   impact: null,
                   inapplicable: [],
@@ -512,7 +517,9 @@ describe('runRules', function() {
             {
               id: 'div#target',
               helpUrl:
-                'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
+                'https://dequeuniversity.com/rules/axe/' +
+                ver +
+                '/div#target?application=axeAPI',
               pageLevel: false,
               foo: 'bar',
               stuff: 'blah',
@@ -552,7 +559,9 @@ describe('runRules', function() {
             {
               id: 'first-div',
               helpUrl:
-                'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
+                'https://dequeuniversity.com/rules/axe/' +
+                ver +
+                '/first-div?application=axeAPI',
               pageLevel: false,
               bar: 'foo',
               stuff: 'no',