code.gitea.io/gitea@v1.22.3/tests/integration/xss_test.go

code.gitea.io/gitea@v1.22.3/tests/integration/xss_test.go (about)

     1  // Copyright 2017 The Gitea Authors. All rights reserved.
     2  // SPDX-License-Identifier: MIT
     3  
     4  package integration
     5  
     6  import (
     7  	"net/http"
     8  	"testing"
     9  
    10  	"code.gitea.io/gitea/models/unittest"
    11  	user_model "code.gitea.io/gitea/models/user"
    12  	"code.gitea.io/gitea/tests"
    13  
    14  	"github.com/stretchr/testify/assert"
    15  )
    16  
    17  func TestXSSUserFullName(t *testing.T) {
    18  	defer tests.PrepareTestEnv(t)()
    19  	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
    20  	const fullName = `name & <script class="evil">alert('Oh no!');</script>`
    21  
    22  	session := loginUser(t, user.Name)
    23  	req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
    24  		"_csrf":     GetCSRF(t, session, "/user/settings"),
    25  		"name":      user.Name,
    26  		"full_name": fullName,
    27  		"email":     user.Email,
    28  		"language":  "en-US",
    29  	})
    30  	session.MakeRequest(t, req, http.StatusSeeOther)
    31  
    32  	req = NewRequestf(t, "GET", "/%s", user.Name)
    33  	resp := session.MakeRequest(t, req, http.StatusOK)
    34  	htmlDoc := NewHTMLParser(t, resp.Body)
    35  	assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())
    36  	assert.EqualValues(t, fullName,
    37  		htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
    38  	)
    39  }