LayoutTests/editing/pasteboard/data-transfer-set-data-sanitizes-html-when-copying-in-null-origin.html

<!DOCTYPE html>
<html>
<body>
<script src="../../resources/js-test-pre.js"></script>
<div id="container">
<button id="copy" onclick="runTest()">1. Copy</button>
<div><br></div>
<div id="source" oncopy="doCopy(event)" contenteditable>some text</div>
<div id="destination" onpaste="doPaste(event)" contenteditable>3. Paste here</div>
</div>
<script>

description('This tests getData strips away secrets and dangerous code when copying inside a null origin document.');
jsTestIsAsync = true;

if (window.internals)
    internals.settings.setCustomPasteboardDataEnabled(true);

function runTest() {
    document.getElementById('source').focus();
    document.execCommand('selectAll');
    document.execCommand('copy');
}

var originalHTML = '<meta content="secret"><b onmouseover="dangerousCode()">hello</b><!-- secret-->, world<script>dangerousCode()</scr' + 'ipt>';
function doCopy(event) {
    event.clipboardData.setData('text/html', originalHTML);
    event.preventDefault();

    const iframe = document.createElement('iframe');
    document.getElementById('container').insertBefore(iframe, iframe.lastChild);
    iframe.src = `data:text/html;charset=utf-8,<!DOCTYPE html>
    <div id="destination" onpaste="doPaste(event)" contenteditable>2. Paste here</div>
    <script>

    function doPaste(event) {
        event.preventDefault();
        parent.postMessage({
            html: event.clipboardData.getData('text/html'),
            types: event.clipboardData.types,
            items: Array.from(event.clipboardData.items).map((item) => ({kind: item.kind, type: item.type})),
        }, '*');
    };

    document.getElementById('destination').focus();
    if (window.testRunner)
        document.execCommand('paste');

    </scri` + 'pt>';
}

onmessage = (event) => {
    typesInNullOrigin = event.data.types;
    shouldBeEqualToString('JSON.stringify(typesInNullOrigin)', '["text/html"]');

    htmlInNullOrigin = event.data.html;
    shouldBeFalse('htmlInNullOrigin.includes("secret")');
    shouldBeFalse('htmlInNullOrigin.includes("dangerousCode")');
    shouldBeEqualToString('b = (new DOMParser).parseFromString(htmlInNullOrigin, "text/html").querySelector("b"); b.textContent', 'hello');
    shouldBeEqualToString('b.parentNode.textContent', 'hello, world');

    itemsInNullOrigin = event.data.items;
    shouldBeEqualToString('JSON.stringify(itemsInNullOrigin)', '[{"kind":"string","type":"text/html"}]');
    document.getElementById('destination').focus();
    if (window.testRunner)
        document.execCommand('paste');
}

function doPaste(event) {
    shouldBeEqualToString('event.clipboardData.getData("text/html")', originalHTML);
    shouldBeEqualToString('JSON.stringify(event.clipboardData.types)', '["text/html"]');
    shouldBeEqualToString('JSON.stringify(Array.from(event.clipboardData.items).map((item) => ({kind: item.kind, type: item.type})))',
        '[{"kind":"string","type":"text/html"}]');
    document.getElementById('container').remove();
    finishJSTest();
}

if (window.testRunner)
    window.onload = runTest;

successfullyParsed = true;

</script>
<script src="../../resources/js-test-post.js"></script>
</body>
</html>