Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Factor out duplicated xss test code #917

Closed
samreid opened this issue Feb 13, 2018 · 2 comments
Closed

Factor out duplicated xss test code #917

samreid opened this issue Feb 13, 2018 · 2 comments
Assignees
@jessegreenberg

Comments

@samreid
Copy link
Member

samreid commented Feb 13, 2018

During phetsims/friction#64 I noticed the following code:

balloons-and-static-electricity/js/balloons-and-static-electricity/BASEA11yStrings.js

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    var whiteList = [ BASEA11yStrings.stripPlaceholders, BASEA11yStrings.fragmentToSentence ];
    for ( var key in BASEA11yStrings ) {
      if ( !_.includes( whiteList, BASEA11yStrings[ key ] ) ) {
        BASEA11yStrings[ key ] += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
      }
    }
  }

friction/js/friction/FrictionA11yStrings.js

  // TODO: This seems it should be factored out
  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in FrictionA11yStrings ) {
      FrictionA11yStrings[ key ].value += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

john-travoltage/js/john-travoltage/JohnTravoltageA11yStrings.js

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in JohnTravoltageA11yStrings ) {
      JohnTravoltageA11yStrings[ key ] += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

joist

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in JoistA11yStrings ) {
      JoistA11yStrings[ key ] += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

molecules and light

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in MoleculesAndLightA11yStrings ) {
      MoleculesAndLightA11yStrings[ key ].value += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

ohms-law

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in OhmsLawA11yStrings ) {
      OhmsLawA11yStrings[ key ] += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

resistance-in-a-wire

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in ResistanceInAWireA11yStrings ) {
      ResistanceInAWireA11yStrings[ key ].value += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

scenery-phet

  if ( phet.chipper.queryParameters.stringTest === 'xss' ) {
    for ( var key in SceneryPhetA11yStrings ) {
      SceneryPhetA11yStrings[ key ].value += '<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVQIW2NkYGD4DwABCQEBtxmN7wAAAABJRU5ErkJggg==" onload="window.location.href=atob(\'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==\')" />';
    }
  }

This code should be factored out. It may be possible to use window.phet.chipper.mapString which already has the xss test base64 data.
@pixelzoom
Copy link
Contributor

Factoring this out is not time well spent. We should be spending that time moving a11y strings to *strings_en.json, see phetsims/rosetta#193.

@pixelzoom pixelzoom mentioned this issue Mar 26, 2019
Closed
@zepumph zepumph mentioned this issue Oct 7, 2019
Closed
@zepumph
Copy link
Member

zepumph commented Oct 7, 2019

Over in phetsims/rosetta#193 we have a plan forward that involves deleting *A11yStrings.js files. I'm going to close this, see phetsims/chipper#795 for issue about deleting.

@zepumph zepumph closed this as completed Oct 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jessegreenberg jessegreenberg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@samreid @pixelzoom @jessegreenberg @zepumph