Darren/dpaste
1
0
Fork 0
mirror of https://github.com/DarrenOfficial/dpaste.git synced 2024-11-23 20:06:35 +11:00
Code Issues Projects Releases Packages Wiki Activity

Added unittests for the xss bug.

Browse source
This commit is contained in:
Martin Mahner 2014-08-02 12:56:46 +02:00
parent e74d456272
commit ac87dac3cc
1 changed files with 31 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
dpaste/tests/test_snippet.py
View file

@ -10,7 +10,7 @@ from django.test.utils import override_settings
from ..models import Snippet from ..models import Snippet
from ..forms import EXPIRE_DEFAULT from ..forms import EXPIRE_DEFAULT
from ..highlight import LEXER_DEFAULT from ..highlight import LEXER_DEFAULT, PLAIN_TEXT, PLAIN_CODE
class SnippetTestCase(TestCase): class SnippetTestCase(TestCase):
@ -19,13 +19,15 @@ class SnippetTestCase(TestCase):
self.client = Client() self.client = Client()
self.new_url = reverse('snippet_new') self.new_url = reverse('snippet_new')
def valid_form_data(self): def valid_form_data(self, **kwargs):
return { data = {
'content': u"Hello Wörld.\n\tGood Bye", 'content': u"Hello Wörld.\n\tGood Bye",
'lexer': LEXER_DEFAULT, 'lexer': LEXER_DEFAULT,
'expires': EXPIRE_DEFAULT, 'expires': EXPIRE_DEFAULT,
} }
if kwargs:
data.update(kwargs)
return data
def test_about(self): def test_about(self):
response = self.client.get(reverse('dpaste_about')) response = self.client.get(reverse('dpaste_about'))
@ -247,6 +249,31 @@ class SnippetTestCase(TestCase):
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
# -------------------------------------------------------------------------
# XSS and correct escaping
# -------------------------------------------------------------------------
XSS_ORIGINAL = u'<script>hello</script>'
XSS_ESCAPED = u'&lt;script&gt;hello&lt;/script&gt;'
def test_xss_text_lexer(self):
# Simple 'text' lexer
data = self.valid_form_data(content=self.XSS_ORIGINAL, lexer=PLAIN_TEXT)
response = self.client.post(self.new_url, data, follow=True)
self.assertContains(response, self.XSS_ESCAPED)
def test_xss_code_lexer(self):
# Simple 'code' lexer
data = self.valid_form_data(content=self.XSS_ORIGINAL, lexer=PLAIN_CODE)
response = self.client.post(self.new_url, data, follow=True)
self.assertContains(response, self.XSS_ESCAPED)
def test_xss_pygments_lexer(self):
# Pygments based lexer
data = self.valid_form_data(content=self.XSS_ORIGINAL,
lexer='python')
response = self.client.post(self.new_url, data, follow=True)
self.assertContains(response, self.XSS_ESCAPED)
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------
# History # History
# ------------------------------------------------------------------------- # -------------------------------------------------------------------------