From fcf51a77baa4661d4b20d55b87577d5de0a8c422 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sun, 15 Mar 2020 19:53:52 +0000 Subject: Merge branch 'features/staticfe-sanitization' into 'develop' static_fe: Sanitize HTML Closes #1614 See merge request pleroma/pleroma!2299 --- test/web/static_fe/static_fe_controller_test.exs | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'test/web/static_fe/static_fe_controller_test.exs') diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs index 2ce8f9fa3..a3be90888 100644 --- a/test/web/static_fe/static_fe_controller_test.exs +++ b/test/web/static_fe/static_fe_controller_test.exs @@ -110,8 +110,20 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do assert html =~ "testing a thing!" end - test "shows the whole thread", %{conn: conn} do + test "filters HTML tags", %{conn: conn} do user = insert(:user) + {:ok, activity} = CommonAPI.post(user, %{"status" => ""}) + + conn = + conn + |> put_req_header("accept", "text/html") + |> get("/notice/#{activity.id}") + + html = html_response(conn, 200) + assert html =~ ~s[<script>alert('xss')</script>] + end + + test "shows the whole thread", %{conn: conn, user: user} do {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"}) CommonAPI.post(user, %{ -- cgit v1.2.3 From e25197788f05071a95daed5a6959c1b46aa69098 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Mon, 16 Mar 2020 00:17:28 +0300 Subject: static-fe tests: fix to work on stable --- test/web/static_fe/static_fe_controller_test.exs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'test/web/static_fe/static_fe_controller_test.exs') diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs index a3be90888..2c999295a 100644 --- a/test/web/static_fe/static_fe_controller_test.exs +++ b/test/web/static_fe/static_fe_controller_test.exs @@ -123,7 +123,8 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do assert html =~ ~s[<script>alert('xss')</script>] end - test "shows the whole thread", %{conn: conn, user: user} do + test "shows the whole thread", %{conn: conn} do + user = insert(:user) {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"}) CommonAPI.post(user, %{ -- cgit v1.2.3