apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 13: Track B — JavaScript + TypeScript harness emitter shapes

Browse source
This commit is contained in:
pitboss 2026-05-14 16:12:11 -05:00
parent 96eb37500c
commit 34a5879459
51 changed files with 2556 additions and 440 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tests/dynamic_fixtures/javascript/browser_event/benign.js Normal file
View file

@ -0,0 +1,19 @@
// Phase 13 — browser-side event handler, benign control.
//
// Uses `textContent` so the payload's `<script>` tag is HTML-escaped before
// serialisation; the XSS oracle marker cannot appear in stdout because
// `<` becomes `&lt;`.
'use strict';
// nyx-shape: browser-event
function clickHandler(payload) {
process.stdout.write('__NYX_SINK_HIT__\n');
const el = document.getElementById('out');
if (el) {
el.textContent = String(payload);
}
return el ? el.textContent : '';
}
module.exports = { clickHandler };

12
tests/dynamic_fixtures/javascript/browser_event/package-lock.json generated Normal file
View file

@ -0,0 +1,12 @@
{
"name": "nyx-harness-jsdom",
"version": "0.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "nyx-harness-jsdom",
"version": "0.0.0"
}
}
}

8
tests/dynamic_fixtures/javascript/browser_event/package.json Normal file
View file

@ -0,0 +1,8 @@
{
"name": "nyx-harness-jsdom",
"version": "0.0.0",
"private": true,
"dependencies": {
"jsdom": "^24.1.1"
}
}

21
tests/dynamic_fixtures/javascript/browser_event/vuln.js Normal file
View file

@ -0,0 +1,21 @@
// Phase 13 — browser-side event handler, vulnerable.
//
// Harness spins up jsdom (js_shared::emit_browser_event), assigns
// `globalThis.document`, then calls `clickHandler(payload)`. The handler
// writes payload into innerHTML — the XSS oracle's `<script>NYX_XSS_CONFIRMED
// </script>` payload appears in the serialised DOM the harness mirrors to
// stdout.
'use strict';
// nyx-shape: browser-event
function clickHandler(payload) {
process.stdout.write('__NYX_SINK_HIT__\n');
const el = document.getElementById('out');
if (el) {
el.innerHTML = String(payload);
}
return el ? el.innerHTML : '';
}
module.exports = { clickHandler };