fix: do not allow postMessage with axe version of x.y.z

Author: straker

lib/core/utils/respondable.js

@@ -45,10 +45,7 @@
 			var messageSource = _getSource();
 			return (
 				// Check the version matches
-				postedMessage._source === messageSource ||
-				// Allow free communication with axe test
-				postedMessage._source === 'axeAPI.x.y.z' ||
-				messageSource === 'axeAPI.x.y.z'
+				postedMessage._source === messageSource
 			);
 		}
 		return false;
@@ -159,7 +156,7 @@
 		var topic = data.topic;
 		var subscriber = subscribers[topic];
 
-		if (subscriber) {
+		if (subscriber && source === window.parent) {
 			var responder = createResponder(source, null, data.uuid);
 			subscriber(data.message, keepalive, responder);
 		}

test/core/base/audit.js

@@ -1,6 +1,7 @@
 /*global Audit, Rule, Promise */
 describe('Audit', function() {
 	'use strict';
+	var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
 	var a, getFlattenedTree;
 	var isNotCalled = function(err) {
@@ -117,7 +118,9 @@ describe('Audit', function() {
 			audit._constructHelpUrls();
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
+					'https://dequeuniversity.com/rules/axe/' +
+					ver +
+					'/target?application=axeAPI'
 			});
 		});
 		it('should use changed branding', function() {
@@ -133,7 +136,9 @@ describe('Audit', function() {
 			audit._constructHelpUrls();
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/thing/x.y/target?application=axeAPI'
+					'https://dequeuniversity.com/rules/thing/' +
+					ver +
+					'/target?application=axeAPI'
 			});
 		});
 		it('should use changed application', function() {
@@ -149,7 +154,9 @@ describe('Audit', function() {
 			audit._constructHelpUrls();
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
+					'https://dequeuniversity.com/rules/axe/' +
+					ver +
+					'/target?application=thing'
 			});
 		});
 
@@ -161,7 +168,9 @@ describe('Audit', function() {
 				selector: 'bob',
 				metadata: {
 					helpUrl:
-						'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+						'https://dequeuniversity.com/rules/myproject/' +
+						ver +
+						'/target1?application=axeAPI'
 				}
 			});
 			audit.addRule({
@@ -172,7 +181,9 @@ describe('Audit', function() {
 
 			assert.equal(
 				audit.data.rules.target1.helpUrl,
-				'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+				'https://dequeuniversity.com/rules/myproject/' +
+					ver +
+					'/target1?application=axeAPI'
 			);
 			assert.isUndefined(audit.data.rules.target2);
 
@@ -182,11 +193,15 @@ describe('Audit', function() {
 
 			assert.equal(
 				audit.data.rules.target1.helpUrl,
-				'https://dequeuniversity.com/rules/myproject/x.y/target1?application=axeAPI'
+				'https://dequeuniversity.com/rules/myproject/' +
+					ver +
+					'/target1?application=axeAPI'
 			);
 			assert.equal(
 				audit.data.rules.target2.helpUrl,
-				'https://dequeuniversity.com/rules/thing/x.y/target2?application=axeAPI'
+				'https://dequeuniversity.com/rules/thing/' +
+					ver +
+					'/target2?application=axeAPI'
 			);
 		});
 		it('understands prerelease type version numbers', function() {
@@ -207,24 +222,6 @@ describe('Audit', function() {
 				'https://dequeuniversity.com/rules/axe/3.2/target?application=axeAPI'
 			);
 		});
-		it('sets x.y as version for invalid versions', function() {
-			var tempVersion = axe.version;
-			var audit = new Audit();
-			audit.addRule({
-				id: 'target',
-				matches: 'function () {return "hello";}',
-				selector: 'bob'
-			});
-
-			axe.version = 'in-3.0-valid';
-			audit._constructHelpUrls();
-
-			axe.version = tempVersion;
-			assert.equal(
-				audit.data.rules.target.helpUrl,
-				'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
-			);
-		});
 		it('matches major release versions', function() {
 			var tempVersion = axe.version;
 			var audit = new Audit();
@@ -258,7 +255,9 @@ describe('Audit', function() {
 			audit._constructHelpUrls();
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI&lang=de'
+					'https://dequeuniversity.com/rules/axe/' +
+					ver +
+					'/target?application=axeAPI&lang=de'
 			});
 		});
 	});
@@ -298,7 +297,9 @@ describe('Audit', function() {
 			});
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/axe/x.y/target?application=thing'
+					'https://dequeuniversity.com/rules/axe/' +
+					ver +
+					'/target?application=thing'
 			});
 		});
 		it('should call _constructHelpUrls even when nothing changed', function() {
@@ -313,7 +314,9 @@ describe('Audit', function() {
 			audit.setBranding(undefined);
 			assert.deepEqual(audit.data.rules.target, {
 				helpUrl:
-					'https://dequeuniversity.com/rules/axe/x.y/target?application=axeAPI'
+					'https://dequeuniversity.com/rules/axe/' +
+					ver +
+					'/target?application=axeAPI'
 			});
 		});
 		it('should not replace custom set branding', function() {
@@ -324,7 +327,9 @@ describe('Audit', function() {
 				selector: 'bob',
 				metadata: {
 					helpUrl:
-						'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
+						'https://dequeuniversity.com/rules/customer-x/' +
+						ver +
+						'/target?application=axeAPI'
 				}
 			});
 			audit.setBranding({
@@ -333,7 +338,9 @@ describe('Audit', function() {
 			});
 			assert.equal(
 				audit.data.rules.target.helpUrl,
-				'https://dequeuniversity.com/rules/customer-x/x.y/target?application=axeAPI'
+				'https://dequeuniversity.com/rules/customer-x/' +
+					ver +
+					'/target?application=axeAPI'
 			);
 		});
 	});

test/core/export.js

@@ -5,6 +5,6 @@ describe('export', function() {
 		assert.isDefined(window.axe);
 	});
 	it('should define version', function() {
-		assert.equal(axe.version, 'x.y.z');
+		assert.isNotNull(axe.version);
 	});
 });

test/core/public/configure.js

@@ -3,6 +3,7 @@ describe('axe.configure', function() {
 	'use strict';
 	var fixture = document.getElementById('fixture');
 	var axeVersion = axe.version;
+	var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
 	afterEach(function() {
 		fixture.innerHTML = '';
@@ -94,7 +95,7 @@ describe('axe.configure', function() {
 		assert.lengthOf(axe._audit.rules, 1);
 		assert.equal(
 			axe._audit.data.rules.bob.helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/bob?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' + ver + '/bob?application=axeAPI'
 		);
 		axe.configure({
 			branding: {
@@ -104,7 +105,9 @@ describe('axe.configure', function() {
 		});
 		assert.equal(
 			axe._audit.data.rules.bob.helpUrl,
-			'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
+			'https://dequeuniversity.com/rules/thung/' +
+				ver +
+				'/bob?application=thing'
 		);
 	});
 
@@ -127,7 +130,9 @@ describe('axe.configure', function() {
 
 		assert.equal(
 			axe._audit.data.rules.bob.helpUrl,
-			'https://dequeuniversity.com/rules/thung/x.y/bob?application=thing'
+			'https://dequeuniversity.com/rules/thung/' +
+				ver +
+				'/bob?application=thing'
 		);
 	});
 

test/core/public/get-rules.js

@@ -1,5 +1,6 @@
 describe('axe.getRules', function() {
 	'use strict';
+	var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
 	beforeEach(function() {
 		axe._load({
@@ -46,7 +47,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[0].help, 'halp');
 		assert.equal(
 			retValue[0].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule1?application=axeAPI'
 		);
 		assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -55,7 +58,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[1].help, 'halp me!');
 		assert.equal(
 			retValue[1].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule2?application=axeAPI'
 		);
 		assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
 
@@ -67,7 +72,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[0].help, 'halp me!');
 		assert.equal(
 			retValue[0].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule2?application=axeAPI'
 		);
 		assert.deepEqual(retValue[0].tags, ['tag1', 'tag2']);
 	});
@@ -85,7 +92,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[0].help, 'halp');
 		assert.equal(
 			retValue[0].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule1?application=axeAPI'
 		);
 		assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -94,7 +103,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[1].help, 'halp me!');
 		assert.equal(
 			retValue[1].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule2?application=axeAPI'
 		);
 		assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
 	});
@@ -106,7 +117,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[0].help, 'halp');
 		assert.equal(
 			retValue[0].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule1?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule1?application=axeAPI'
 		);
 		assert.deepEqual(retValue[0].tags, ['tag1']);
 
@@ -115,7 +128,9 @@ describe('axe.getRules', function() {
 		assert.equal(retValue[1].help, 'halp me!');
 		assert.equal(
 			retValue[1].helpUrl,
-			'https://dequeuniversity.com/rules/axe/x.y/awesomeRule2?application=axeAPI'
+			'https://dequeuniversity.com/rules/axe/' +
+				ver +
+				'/awesomeRule2?application=axeAPI'
 		);
 		assert.deepEqual(retValue[1].tags, ['tag1', 'tag2']);
 	});

test/core/public/run-rules.js

@@ -1,6 +1,7 @@
 /*global runRules */
 describe('runRules', function() {
 	'use strict';
+	var ver = axe.version.substring(0, axe.version.lastIndexOf('.'));
 
 	// These tests can sometimes be flaky in IE, allow for up to 3 retries
 	if (axe.testUtils.isIE11) {
@@ -206,7 +207,9 @@ describe('runRules', function() {
 							{
 								id: 'div#target',
 								helpUrl:
-									'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
+									'https://dequeuniversity.com/rules/axe/' +
+									ver +
+									'/div#target?application=axeAPI',
 								pageLevel: false,
 								impact: null,
 								inapplicable: [],
@@ -241,7 +244,9 @@ describe('runRules', function() {
 							{
 								id: 'first-div',
 								helpUrl:
-									'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
+									'https://dequeuniversity.com/rules/axe/' +
+									ver +
+									'/first-div?application=axeAPI',
 								pageLevel: false,
 								impact: null,
 								inapplicable: [],
@@ -493,7 +498,9 @@ describe('runRules', function() {
 					{
 						id: 'div#target',
 						helpUrl:
-							'https://dequeuniversity.com/rules/axe/x.y/div#target?application=axeAPI',
+							'https://dequeuniversity.com/rules/axe/' +
+							ver +
+							'/div#target?application=axeAPI',
 						pageLevel: false,
 						foo: 'bar',
 						stuff: 'blah',
@@ -530,7 +537,9 @@ describe('runRules', function() {
 					{
 						id: 'first-div',
 						helpUrl:
-							'https://dequeuniversity.com/rules/axe/x.y/first-div?application=axeAPI',
+							'https://dequeuniversity.com/rules/axe/' +
+							ver +
+							'/first-div?application=axeAPI',
 						pageLevel: false,
 						bar: 'foo',
 						stuff: 'no',