LayoutTests/http/tests/security/xss-eval.html - WebKit - Git at Google

 <p>This page verifies that you can't use eval to subvert cross-domain checks.</p>
 <p>If the test passes, you'll see a pass message below.</p>
 <hr>
 <pre id="console"></pre>

 <iframe style="width:0; height: 0" src="resources/xss-eval2.html"></iframe>

 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.waitUntilDone();
 }

 function log(s)
 {
     document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
 }

 function shouldBe(aDescription, a, b)
 {
     if (a === b) {
         log("PASS: " + aDescription + " should be " + b + " and is.");
     } else {
         log("FAIL: " + aDescription + " should be " + b + " but instead is " + a + ".");
     }
 }

 document.testExpando = "It's me!";

 addEventListener("message", function()
 {
     shouldBe("eval.call(frames[0], 'document').testExpando",
         (function() { try {
             return eval.call(frames[0], 'document').testExpando;
         } catch(e) { return e.name; } })(), "It's me!")

     shouldBe("childEval.call(frames[0], 'document').testExpando",
         (function() { try {
             return childEval.call(frames[0], 'document').testExpando;
         } catch(e) { return e.name; } })(), "It's me too!");

     shouldBe("childEvalCaller('document').testExpando",
         (function() { try {
             return childEvalCaller('document').testExpando;
         } catch(e) { return e.name; } })(), "SecurityError");

     shouldBe("childLocalEvalCaller('document').testExpando",
         (function() { try { return childLocalEvalCaller('document').testExpando; } catch(e) { return e.name; } })(), "It's me too!");

     if (window.testRunner)
         testRunner.notifyDone();
 }, false);
 </script>
	<p>This page verifies that you can't use eval to subvert cross-domain checks.</p>
	<p>If the test passes, you'll see a pass message below.</p>
	<hr>
	<pre id="console"></pre>

	<iframe style="width:0; height: 0" src="resources/xss-eval2.html"></iframe>

	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.waitUntilDone();
	}

	function log(s)
	{
	document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
	}

	function shouldBe(aDescription, a, b)
	{
	if (a === b) {
	log("PASS: " + aDescription + " should be " + b + " and is.");
	} else {
	log("FAIL: " + aDescription + " should be " + b + " but instead is " + a + ".");
	}
	}

	document.testExpando = "It's me!";

	addEventListener("message", function()
	{
	shouldBe("eval.call(frames[0], 'document').testExpando",
	(function() { try {
	return eval.call(frames[0], 'document').testExpando;
	} catch(e) { return e.name; } })(), "It's me!")

	shouldBe("childEval.call(frames[0], 'document').testExpando",
	(function() { try {
	return childEval.call(frames[0], 'document').testExpando;
	} catch(e) { return e.name; } })(), "It's me too!");

	shouldBe("childEvalCaller('document').testExpando",
	(function() { try {
	return childEvalCaller('document').testExpando;
	} catch(e) { return e.name; } })(), "SecurityError");

	shouldBe("childLocalEvalCaller('document').testExpando",
	(function() { try { return childLocalEvalCaller('document').testExpando; } catch(e) { return e.name; } })(), "It's me too!");

	if (window.testRunner)
	testRunner.notifyDone();
	}, false);
	</script>