Added unittests for the xss bug.

2024-11-23 11:56:36 +11:00 · 2014-08-02 12:56:46 +02:00 · 2014-08-02 12:56:46 +02:00 · ac87dac3cc
commit ac87dac3cc
parent e74d456272
1 changed files with 31 additions and 4 deletions
--- a/dpaste/tests/test_snippet.py
+++ b/dpaste/tests/test_snippet.py
@ -10,7 +10,7 @@ from django.test.utils import override_settings

 from ..models import Snippet
 from ..forms import EXPIRE_DEFAULT
-from ..highlight import LEXER_DEFAULT
+from ..highlight import LEXER_DEFAULT, PLAIN_TEXT, PLAIN_CODE


 class SnippetTestCase(TestCase):
@ -19,13 +19,15 @@ class SnippetTestCase(TestCase):
        self.client = Client()
        self.new_url = reverse('snippet_new')

-    def valid_form_data(self):
-        return {
+    def valid_form_data(self, **kwargs):
+        data = {
            'content': u"Hello Wörld.\n\tGood Bye",
            'lexer': LEXER_DEFAULT,
            'expires': EXPIRE_DEFAULT,
        }
-
+        if kwargs:
+            data.update(kwargs)
+        return data

    def test_about(self):
        response = self.client.get(reverse('dpaste_about'))
@ -247,6 +249,31 @@ class SnippetTestCase(TestCase):

        self.assertEqual(response.status_code, 200)

+    # -------------------------------------------------------------------------
+    # XSS and correct escaping
+    # -------------------------------------------------------------------------
+    XSS_ORIGINAL = u'<script>hello</script>'
+    XSS_ESCAPED = u'&lt;script&gt;hello&lt;/script&gt;'
+
+    def test_xss_text_lexer(self):
+        # Simple 'text' lexer
+        data = self.valid_form_data(content=self.XSS_ORIGINAL, lexer=PLAIN_TEXT)
+        response = self.client.post(self.new_url, data, follow=True)
+        self.assertContains(response, self.XSS_ESCAPED)
+
+    def test_xss_code_lexer(self):
+        # Simple 'code' lexer
+        data = self.valid_form_data(content=self.XSS_ORIGINAL, lexer=PLAIN_CODE)
+        response = self.client.post(self.new_url, data, follow=True)
+        self.assertContains(response, self.XSS_ESCAPED)
+
+    def test_xss_pygments_lexer(self):
+        # Pygments based lexer
+        data = self.valid_form_data(content=self.XSS_ORIGINAL,
+            lexer='python')
+        response = self.client.post(self.new_url, data, follow=True)
+        self.assertContains(response, self.XSS_ESCAPED)
+
    # -------------------------------------------------------------------------
    # History
    # -------------------------------------------------------------------------