fix: mitigate "sequential @import chaining" vulnerability (#5616)

* `test/e2e-cypress/tests/features/xss/` -> `test/e2e-cypress/tests/security` * add tests * filter <style> tags out of Markdown fields * initialize OAuth inputs without applying `value` attribute
2019-09-20 13:19:08 -07:00
parent c8ad396301
commit 5f6ec8ce1d
11 changed files with 143 additions and 7 deletions
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
@@ -0,0 +1,7 @@
+* {
+  color: red !important; /* for humans */
+}
+
+h4 {
+  display: none; /* for machines, used to trace whether this sheet is applied */
+}