Skip to content

Commit e93f394

Browse files
strakerstraker
committed
fix: do not allow postMessage with axe version of x.y.z
1 parent dee205b commit e93f394

12 files changed

Lines changed: 84 additions & 104 deletions

File tree

lib/core/utils/respondable.js

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -45,10 +45,7 @@
4545
var messageSource = _getSource();
4646
return (
4747
// Check the version matches
48-
postedMessage._source === messageSource ||
49-
// Allow free communication with axe test
50-
postedMessage._source === 'axeAPI.x.y.z' ||
51-
messageSource === 'axeAPI.x.y.z'
48+
postedMessage._source === messageSource
5249
);
5350
}
5451
return false;
@@ -152,7 +149,7 @@
152149
var topic = data.topic;
153150
var subscriber = subscribers[topic];
154151

155-
if (subscriber) {
152+
if (subscriber && source === window.parent) {
156153
var responder = createResponder(source, null, data.uuid);
157154
subscriber(data.message, keepalive, responder);
158155
}

test/core/base/audit.js

Lines changed: 12 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
/*global Audit, Rule */
22
describe('Audit', function() {
33
'use strict';
4+
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
45

56
var a, getFlattenedTree;
67
var isNotCalled = function(err) {
@@ -117,7 +118,7 @@ describe('Audit', function() {
117118
audit._constructHelpUrls();
118119
assert.deepEqual(audit.data.rules.target, {
119120
helpUrl:
120-
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
121+
'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=axeAPI'
121122
});
122123
});
123124
it('should use changed branding', function() {
@@ -133,7 +134,7 @@ describe('Audit', function() {
133134
audit._constructHelpUrls();
134135
assert.deepEqual(audit.data.rules.target, {
135136
helpUrl:
136-
'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI'
137+
'https://dequeuniversity.com/rules/thing/' + ver + '/target?application=axeAPI'
137138
});
138139
});
139140
it('should use changed application', function() {
@@ -149,7 +150,7 @@ describe('Audit', function() {
149150
audit._constructHelpUrls();
150151
assert.deepEqual(audit.data.rules.target, {
151152
helpUrl:
152-
'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
153+
'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=thing'
153154
});
154155
});
155156

@@ -161,7 +162,7 @@ describe('Audit', function() {
161162
selector: 'bob',
162163
metadata: {
163164
helpUrl:
164-
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
165+
'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI'
165166
}
166167
});
167168
audit.addRule({
@@ -172,7 +173,7 @@ describe('Audit', function() {
172173

173174
assert.equal(
174175
audit.data.rules.target1.helpUrl,
175-
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
176+
'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI'
176177
);
177178
assert.isUndefined(audit.data.rules.target2);
178179

@@ -182,11 +183,11 @@ describe('Audit', function() {
182183

183184
assert.equal(
184185
audit.data.rules.target1.helpUrl,
185-
'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
186+
'https://dequeuniversity.com/rules/myproject/' + ver + '/target1?application=axeAPI'
186187
);
187188
assert.equal(
188189
audit.data.rules.target2.helpUrl,
189-
'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI'
190+
'https://dequeuniversity.com/rules/thing/' + ver + '/target2?application=axeAPI'
190191
);
191192
});
192193
it('understands prerelease type version numbers', function() {
@@ -207,24 +208,6 @@ describe('Audit', function() {
207208
'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI'
208209
);
209210
});
210-
it('sets x.y as version for invalid versions', function() {
211-
var tempVersion = axe.version;
212-
var audit = new Audit();
213-
audit.addRule({
214-
id: 'target',
215-
matches: 'function () {return "hello";}',
216-
selector: 'bob'
217-
});
218-
219-
axe.version = 'in-3.0-valid';
220-
audit._constructHelpUrls();
221-
222-
axe.version = tempVersion;
223-
assert.equal(
224-
audit.data.rules.target.helpUrl,
225-
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
226-
);
227-
});
228211
it('matches major release versions', function() {
229212
var tempVersion = axe.version;
230213
var audit = new Audit();
@@ -280,7 +263,7 @@ describe('Audit', function() {
280263
});
281264
assert.deepEqual(audit.data.rules.target, {
282265
helpUrl:
283-
'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
266+
'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=thing'
284267
});
285268
});
286269
it('should call _constructHelpUrls even when nothing changed', function() {
@@ -295,7 +278,7 @@ describe('Audit', function() {
295278
audit.setBranding(undefined);
296279
assert.deepEqual(audit.data.rules.target, {
297280
helpUrl:
298-
'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
281+
'https://dequeuniversity.com/rules/axe/' + ver + '/target?application=axeAPI'
299282
});
300283
});
301284
it('should not replace custom set branding', function() {
@@ -306,7 +289,7 @@ describe('Audit', function() {
306289
selector: 'bob',
307290
metadata: {
308291
helpUrl:
309-
'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
292+
'https://dequeuniversity.com/rules/customer-x/' + ver + '/target?application=axeAPI'
310293
}
311294
});
312295
audit.setBranding({
@@ -315,7 +298,7 @@ describe('Audit', function() {
315298
});
316299
assert.equal(
317300
audit.data.rules.target.helpUrl,
318-
'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
301+
'https://dequeuniversity.com/rules/customer-x/' + ver + '/target?application=axeAPI'
319302
);
320303
});
321304
});

test/core/export.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,6 @@ describe('export', function() {
55
assert.isDefined(window.axe);
66
});
77
it('should define version', function() {
8-
assert.equal(axe.version, 'x.y.z');
8+
assert.isNotNull(axe.version);
99
});
1010
});

test/core/public/configure.js

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
describe('axe.configure', function() {
33
'use strict';
44
var fixture = document.getElementById('fixture');
5+
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
56

67
afterEach(function() {
78
fixture.innerHTML = '';
@@ -68,7 +69,7 @@ describe('axe.configure', function() {
6869
assert.lengthOf(axe._audit.rules, 1);
6970
assert.equal(
7071
axe._audit.data.rules.bob.helpUrl,
71-
'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI'
72+
'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI'
7273
);
7374
axe.configure({
7475
branding: {
@@ -78,7 +79,7 @@ describe('axe.configure', function() {
7879
});
7980
assert.equal(
8081
axe._audit.data.rules.bob.helpUrl,
81-
'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
82+
'https://dequeuniversity.com/rules/thung/' + ver + '/bob?application=thing'
8283
);
8384
});
8485

@@ -101,7 +102,7 @@ describe('axe.configure', function() {
101102

102103
assert.equal(
103104
axe._audit.data.rules.bob.helpUrl,
104-
'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
105+
'https://dequeuniversity.com/rules/thung/' + ver + '/bob?application=thing'
105106
);
106107
});
107108

test/core/public/get-rules.js

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
describe('axe.getRules', function() {
22
'use strict';
3+
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
34

45
beforeEach(function() {
56
axe._load({
@@ -46,7 +47,7 @@ describe('axe.getRules', function() {
4647
assert.equal(retValue[0].help, 'halp');
4748
assert.equal(
4849
retValue[0].helpUrl,
49-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
50+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI'
5051
);
5152
assert.deepEqual(retValue[0].tags, ['tag1']);
5253

@@ -55,7 +56,7 @@ describe('axe.getRules', function() {
5556
assert.equal(retValue[1].help, 'halp me!');
5657
assert.equal(
5758
retValue[1].helpUrl,
58-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
59+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI'
5960
);
6061
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
6162

@@ -67,7 +68,7 @@ describe('axe.getRules', function() {
6768
assert.equal(retValue[0].help, 'halp me!');
6869
assert.equal(
6970
retValue[0].helpUrl,
70-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
71+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI'
7172
);
7273
assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']);
7374
});
@@ -85,7 +86,7 @@ describe('axe.getRules', function() {
8586
assert.equal(retValue[0].help, 'halp');
8687
assert.equal(
8788
retValue[0].helpUrl,
88-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
89+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI'
8990
);
9091
assert.deepEqual(retValue[0].tags, ['tag1']);
9192

@@ -94,7 +95,7 @@ describe('axe.getRules', function() {
9495
assert.equal(retValue[1].help, 'halp me!');
9596
assert.equal(
9697
retValue[1].helpUrl,
97-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
98+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI'
9899
);
99100
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
100101
});
@@ -106,7 +107,7 @@ describe('axe.getRules', function() {
106107
assert.equal(retValue[0].help, 'halp');
107108
assert.equal(
108109
retValue[0].helpUrl,
109-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
110+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule1?application=axeAPI'
110111
);
111112
assert.deepEqual(retValue[0].tags, ['tag1']);
112113

@@ -115,7 +116,7 @@ describe('axe.getRules', function() {
115116
assert.equal(retValue[1].help, 'halp me!');
116117
assert.equal(
117118
retValue[1].helpUrl,
118-
'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
119+
'https://dequeuniversity.com/rules/axe/' + ver + '/awesomeRule2?application=axeAPI'
119120
);
120121
assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
121122
});

test/core/public/run-rules.js

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
/*global runRules */
22
describe('runRules', function() {
33
'use strict';
4+
var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
45

56
function iframeReady(src, context, id, cb) {
67
var i = document.createElement('iframe');
@@ -198,7 +199,7 @@ describe('runRules', function() {
198199
{
199200
id: 'div#target',
200201
helpUrl:
201-
'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
202+
'https://dequeuniversity.com/rules/axe/' + ver +'/div#target?application=axeAPI',
202203
pageLevel: false,
203204
impact: null,
204205
inapplicable: [],
@@ -233,7 +234,7 @@ describe('runRules', function() {
233234
{
234235
id: 'first-div',
235236
helpUrl:
236-
'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
237+
'https://dequeuniversity.com/rules/axe/' + ver +'/first-div?application=axeAPI',
237238
pageLevel: false,
238239
impact: null,
239240
inapplicable: [],
@@ -485,7 +486,7 @@ describe('runRules', function() {
485486
{
486487
id: 'div#target',
487488
helpUrl:
488-
'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
489+
'https://dequeuniversity.com/rules/axe/' + ver +'/div#target?application=axeAPI',
489490
pageLevel: false,
490491
foo: 'bar',
491492
stuff: 'blah',
@@ -522,7 +523,7 @@ describe('runRules', function() {
522523
{
523524
id: 'first-div',
524525
helpUrl:
525-
'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
526+
'https://dequeuniversity.com/rules/axe/' + ver +'/first-div?application=axeAPI',
526527
pageLevel: false,
527528
bar: 'foo',
528529
stuff: 'no',

0 commit comments

Comments
 (0)