index.js 2.08 KB
edit raw blame history



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70


var xssFilter = require('..')

var connect = require('connect')
var request = require('supertest')
var rfile = require('rfile')
var each = require('async').each
var assert = require('assert')

describe('x-xss-protection', function () {
  function grabList (filename) {
    return rfile(filename)
      .split('\n')
      .filter(function (line) {
        return line.trim() !== ''
      })
  }

  var enabledBrowsers = grabList('./enabled_browser_list.txt')
  var disabledBrowsers = grabList('./disabled_browser_list.txt')

  var app
  beforeEach(function () {
    app = connect()
    app.use(xssFilter())
    app.use(function (req, res) {
      res.end('Hello world!')
    })
  })

  it('enables it for supported browsers', function (done) {
    each(enabledBrowsers, function (useragent, callback) {
      request(app).get('/').set('User-Agent', useragent)
        .expect('X-XSS-Protection', '1; mode=block', callback)
    }, done)
  })

  it('disables it for unsupported browsers', function (done) {
    each(disabledBrowsers, function (useragent, callback) {
      request(app).get('/').set('User-Agent', useragent)
        .expect('X-XSS-Protection', '0', callback)
    }, done)
  })

  it('sets header if there is an empty user-agent', function (done) {
    request(app).get('/').set('User-Agent', '')
      .expect('X-XSS-Protection', '1; mode=block', done)
  })

  it('sets header if there is no user-agent', function (done) {
    request(app).get('/').unset('User-Agent')
      .expect('X-XSS-Protection', '1; mode=block', done)
  })

  it('allows you to force the header for unsupported browsers', function (done) {
    app = connect()
    app.use(xssFilter({ setOnOldIE: true }))
    app.use(function (req, res) {
      res.end('Hello world!')
    })
    each(disabledBrowsers, function (useragent, callback) {
      request(app).get('/').set('User-Agent', useragent)
        .expect('X-XSS-Protection', '1; mode=block', callback)
    }, done)
  })

  it('names its function and middleware', function () {
    assert.equal(xssFilter.name, 'xXssProtection')
    assert.equal(xssFilter().name, 'xXssProtection')
  })
})