Fork to maintain patches against the official gitea for https://code.ceondo.com https://github.com/go-gitea/gitea

xss_test.go 1.1KB

1234567891011121314151617181920212223242526272829303132333435363738
  1. // Copyright 2017 The Gitea Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package integrations
  5. import (
  6. "net/http"
  7. "testing"
  8. "code.gitea.io/gitea/models"
  9. "github.com/stretchr/testify/assert"
  10. )
  11. func TestXSSUserFullName(t *testing.T) {
  12. prepareTestEnv(t)
  13. user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
  14. const fullName = `name & <script class="evil">alert('Oh no!');</script>`
  15. session := loginUser(t, user.Name)
  16. req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
  17. "_csrf": GetCSRF(t, session, "/user/settings"),
  18. "name": user.Name,
  19. "full_name": fullName,
  20. "email": user.Email,
  21. })
  22. session.MakeRequest(t, req, http.StatusFound)
  23. req = NewRequestf(t, "GET", "/%s", user.Name)
  24. resp := session.MakeRequest(t, req, http.StatusOK)
  25. htmlDoc := NewHTMLParser(t, resp.Body)
  26. assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())
  27. assert.EqualValues(t, fullName,
  28. htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
  29. )
  30. }