summaryrefslogtreecommitdiffstats
path: root/integrations
diff options
context:
space:
mode:
authorEthan Koenig <etk39@cornell.edu>2017-07-12 10:58:52 -0400
committerLauris BH <lauris@nix.lv>2017-07-12 17:58:52 +0300
commit858324c21ab95bb46d881cac6f824d8f9b7d2b87 (patch)
treeb3bbe418449fc8f5307292cfe750b4cf8ff90947 /integrations
parent2c3efd72ce30f77aa7f8056d4973e07912e15da3 (diff)
downloadgitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.tar.gz
gitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.zip
Fix username rendering bug (#2122)
* Fix username rendering bug * XSS integration test * Migration to unescape user full names
Diffstat (limited to 'integrations')
-rw-r--r--integrations/xss_test.go37
1 files changed, 37 insertions, 0 deletions
diff --git a/integrations/xss_test.go b/integrations/xss_test.go
new file mode 100644
index 0000000000..d71c680d6f
--- /dev/null
+++ b/integrations/xss_test.go
@@ -0,0 +1,37 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+ "net/http"
+ "testing"
+
+ "code.gitea.io/gitea/models"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestXSSUserFullName(t *testing.T) {
+ prepareTestEnv(t)
+ user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+ const fullName = `name & <script class="evil">alert('Oh no!');</script>`
+
+ session := loginUser(t, user.Name)
+ req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
+ "_csrf": GetCSRF(t, session, "/user/settings"),
+ "name": user.Name,
+ "full_name": fullName,
+ "email": user.Email,
+ })
+ session.MakeRequest(t, req, http.StatusFound)
+
+ req = NewRequestf(t, "GET", "/%s", user.Name)
+ resp := session.MakeRequest(t, req, http.StatusOK)
+ htmlDoc := NewHTMLParser(t, resp.Body)
+ assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())
+ assert.EqualValues(t, fullName,
+ htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
+ )
+}