Regression coverage for Issue 52402 (#2299)

Author: labkey-nicka

modules/simpletest/resources/views/encodeButton.html

@@ -0,0 +1,15 @@
+<input id="firstName" type="text" value="<script>alert('XSS Input Success')</script><span>Loading XSS</span>" />
+<button class="btn btn-primary input-test" data-loading-text="<span>I'm Loading</span>" type="button">
+    Attempt XSS injection
+</button>
+<script type="text/javascript" nonce="<%=scriptNonce%>">
+    // Issue 52402: Verify the "loadingText" attribute for a bootstrap button() is properly encoded.
+    // See ClientAPITest.testBootstrapButtonEncoding
+    $(function () {
+        $('.input-test').click(function () {
+            let inputValue = $('#firstName').val();
+            $(this).data('loadingText', inputValue);
+            $(this).button('loading', inputValue);
+        });
+    });
+</script>

modules/simpletest/resources/views/encodeButton.view.xml

@@ -0,0 +1,5 @@
+<view xmlns="http://labkey.org/data/xml/view">
+    <dependencies>
+        <dependency path="internal/jQuery" />
+    </dependencies>
+</view>

src/org/labkey/test/tests/ClientAPITest.java

@@ -1546,6 +1546,21 @@ public void suggestedColumnsInQueryDetailsTest() throws Exception
                 columns.stream().noneMatch(col -> col.getName().equalsIgnoreCase("Container")));
     }
 
+    @Test
+    public void testBootstrapButtonEncoding()
+    {
+        assumeTestModules();
+
+        beginAt(WebTestHelper.buildURL("simpletest", getProjectName(), "encodeButton"));
+        var buttonLocator = Locator.tagWithClass("button", "input-test");
+        waitForElement(buttonLocator);
+
+        // Prior to the patch for Issue 52402 clicking the button would result in a XSS injection
+        // which would result in an UnhandledAlertException.
+        click(buttonLocator);
+        waitForElement(Locator.buttonContainingText("<script>alert('XSS Input Success')</script><span>Loading XSS</span>"));
+    }
+
     @Override
     public BrowserType bestBrowser()
     {