LayoutTests/editing/pasteboard/paste-contents-with-side-effects.html - WebKit - Git at Google

 <!DOCTYPE html>
 <html>
 <body>
 <script src="../../resources/js-test.js"></script>
 <div id="editor" contenteditable></div>
 <script>

 description('This tests inserting content with an event handler. WebKit should never execute event handlers.');

 editor.focus();

 function insertHTML(markup) {
     editor.textContent = '';
     editor.focus();
     document.execCommand('insertHTML', false, markup);
 }

 let didExecute = false;
 debug('');
 debug('Inserting with load event handler');
 editor.addEventListener('beforeinput', () => {
     shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onload="')`);
     shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onmouseover="')`);
 }, {once: true});
 insertHTML('<iframe onload="didExecute = true" onmouseover="alert(\'FAIL\')"></iframe>');
 shouldBeFalse('didExecute');

 didExecute = false;
 debug('');
 debug('Inserting with script element');
 editor.addEventListener('beforeinput', () => {
     shouldBeTrue(`event.dataTransfer.getData('text/html').includes('script')`);
 }, {once: true});
 insertHTML(`<iframe src="data:text/html,<!DOCTYPE html><b>hi</b><script>alert("FAIL")</scr` + 'ipt>"></iframe>');
 shouldBeFalse('didExecute');

 didExecute = false;
 debug('');
 debug('Inserting iframe with a name into plaintext-only');
 editor.setAttribute('contenteditable', 'plaintext-only');

 let i = 0;
 function insertObjectElement() {
     const object = document.createElement('object');
     object.data = 'about:blank';
     object.onload = () => {
         try {
             if (window.open('about:blank', 'named-frame').frameElement.parentNode)
                 didExecute = true;
         } catch (e) { }
         if (!didExecute && i++ < 10)
             insertObjectElement();
     }
     document.body.appendChild(object);
 }
 insertObjectElement();
 editor.focus();
 editor.addEventListener('beforeinput', () => {
     shouldBeTrue(`event.dataTransfer.getData("text/html").includes("iframe name=")`);
 }, {once: true});
 insertHTML(`<iframe name='named-frame'></iframe>`);
 shouldBeFalse('didExecute');
 didExecute = true;

 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<body>
	<script src="../../resources/js-test.js"></script>
	<div id="editor" contenteditable></div>
	<script>

	description('This tests inserting content with an event handler. WebKit should never execute event handlers.');

	editor.focus();

	function insertHTML(markup) {
	editor.textContent = '';
	editor.focus();
	document.execCommand('insertHTML', false, markup);
	}

	let didExecute = false;
	debug('');
	debug('Inserting with load event handler');
	editor.addEventListener('beforeinput', () => {
	shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onload="')`);
	shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onmouseover="')`);
	}, {once: true});
	insertHTML('<iframe onload="didExecute = true" onmouseover="alert(\'FAIL\')"></iframe>');
	shouldBeFalse('didExecute');

	didExecute = false;
	debug('');
	debug('Inserting with script element');
	editor.addEventListener('beforeinput', () => {
	shouldBeTrue(`event.dataTransfer.getData('text/html').includes('script')`);
	}, {once: true});
	insertHTML(`<iframe src="data:text/html,<!DOCTYPE html><b>hi</b><script>alert("FAIL")</scr` + 'ipt>"></iframe>');
	shouldBeFalse('didExecute');

	didExecute = false;
	debug('');
	debug('Inserting iframe with a name into plaintext-only');
	editor.setAttribute('contenteditable', 'plaintext-only');

	let i = 0;
	function insertObjectElement() {
	const object = document.createElement('object');
	object.data = 'about:blank';
	object.onload = () => {
	try {
	if (window.open('about:blank', 'named-frame').frameElement.parentNode)
	didExecute = true;
	} catch (e) { }
	if (!didExecute && i++ < 10)
	insertObjectElement();
	}
	document.body.appendChild(object);
	}
	insertObjectElement();
	editor.focus();
	editor.addEventListener('beforeinput', () => {
	shouldBeTrue(`event.dataTransfer.getData("text/html").includes("iframe name=")`);
	}, {once: true});
	insertHTML(`<iframe name='named-frame'></iframe>`);
	shouldBeFalse('didExecute');
	didExecute = true;

	</script>
	</body>
	</html>