@@ -201,6 +201,18 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
201201 clientRenderOnServerString,
202202 } = ReactDOMServerIntegrationUtils ( initModules ) ;
203203
204+ const expectToReject = fn => {
205+ let msg ;
206+ try {
207+ fn ( ) ;
208+ } catch ( x ) {
209+ msg = x . message ;
210+ }
211+ expect ( msg ) . toContain (
212+ 'React has blocked a javascript: URL as a security precaution.' ,
213+ ) ;
214+ } ;
215+
204216 beforeEach ( ( ) => {
205217 resetModules ( ) ;
206218 } ) ;
@@ -209,17 +221,7 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
209221 itRenders ,
210222 ( message , test ) =>
211223 itThrowsWhenRendering ( message , test , 'blocked a javascript: URL' ) ,
212- fn => {
213- let msg ;
214- try {
215- fn ( ) ;
216- } catch ( x ) {
217- msg = x . message ;
218- }
219- expect ( msg ) . toContain (
220- 'React has blocked a javascript: URL as a security precaution.' ,
221- ) ;
222- } ,
224+ expectToReject ,
223225 ) ;
224226
225227 itRenders ( 'only the first invocation of toString' , async render => {
@@ -248,4 +250,17 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
248250 expect ( toStringCalls ) . toBe ( expectedToStringCalls ) ;
249251 expect ( e . href ) . toBe ( 'https://fb.me/' ) ;
250252 } ) ;
253+
254+ it ( 'rejects a javascript protocol href if it is added during an update twice' , ( ) => {
255+ let container = document . createElement ( 'div' ) ;
256+ ReactDOM . render ( < a href = "thisisfine" > click me</ a > , container ) ;
257+ expectToReject ( ( ) => {
258+ ReactDOM . render ( < a href = "javascript:notfine" > click me</ a > , container ) ;
259+ } ) ;
260+ // The second update ensures that a global flag hasn't been added to the regex
261+ // which would fail to match the second time it is called.
262+ expectToReject ( ( ) => {
263+ ReactDOM . render ( < a href = "javascript:notfine" > click me</ a > , container ) ;
264+ } ) ;
265+ } ) ;
251266} ) ;
0 commit comments