0

I am writing a test for a validator function which checks if a value passed is actually an instance of Date object or not. It returns either true or false. So if I pass a simple date, it passes as true that it is a safe value but now I am trying to test it by passing xss vectors (from this list) but somehow some of them returns true, like this one:

<SVg </onlOad ="1> (_=prompt,_(1)) "">

or this:

<svg contentScriptType=text/vbs><script>MsgBox+1

Why is this happening and how can I fix it to return false for xss vectors?

This is the validator function:

const isTimeSafe = (value) => {
    const datetime = new Date(value);

    return (datetime instanceof Date && !isNaN(datetime.valueOf()));
}

Here's the test spec:

it('should return false when isTimeSafe is called with xss vectors', () => {

    const vectors = fs.readFileSync(`xssVectors.txt`).toString().split('\n');
    
    for (vector of vectors) {
       const isSafe = isTimeSafe(vector);

       expect(isSafe).toBe(false);
    }

});
Zak
  • 860
  • 16
  • 39
  • 1
    There are only 3 string date formats supported by ECMA-262, anything else implementation dependent.So throwing random strings at `new Date(string)` is almost certain to produce unexpected results for some values and possibly different results in different implementations. – RobG Sep 16 '22 at 20:23
  • 1
    The only reliable way to validate that a string is a valid date is to parse it yourself (a library can heip) and test the values, which infers knowing the expected format. – RobG Sep 16 '22 at 20:33
  • @RobG Yeah this is what is happening here. I guess I have to change my validator. My time values are in Unix Epoch Time. So they should always be numbers. What's your suggestion about validating with only a regex that accepts only numbers? – Zak Sep 17 '22 at 09:40
  • 1
    [*Validate that a string is a positive integer*](https://stackoverflow.com/questions/10834796/validate-that-a-string-is-a-positive-integer) – RobG Sep 18 '22 at 08:49
  • May be post it as an answer so that I can close this thread. – Zak Sep 18 '22 at 09:17

0 Answers0