summaryrefslogtreecommitdiffstats
path: root/integrations/xss_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'integrations/xss_test.go')
-rw-r--r--integrations/xss_test.go37
1 files changed, 37 insertions, 0 deletions
diff --git a/integrations/xss_test.go b/integrations/xss_test.go
new file mode 100644
index 0000000000..d71c680d6f
--- /dev/null
+++ b/integrations/xss_test.go
@@ -0,0 +1,37 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+ "net/http"
+ "testing"
+
+ "code.gitea.io/gitea/models"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestXSSUserFullName(t *testing.T) {
+ prepareTestEnv(t)
+ user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+ const fullName = `name & <script class="evil">alert('Oh no!');</script>`
+
+ session := loginUser(t, user.Name)
+ req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
+ "_csrf": GetCSRF(t, session, "/user/settings"),
+ "name": user.Name,
+ "full_name": fullName,
+ "email": user.Email,
+ })
+ session.MakeRequest(t, req, http.StatusFound)
+
+ req = NewRequestf(t, "GET", "/%s", user.Name)
+ resp := session.MakeRequest(t, req, http.StatusOK)
+ htmlDoc := NewHTMLParser(t, resp.Body)
+ assert.EqualValues(t, 0, htmlDoc.doc.Find("script.evil").Length())
+ assert.EqualValues(t, fullName,
+ htmlDoc.doc.Find("div.content").Find(".header.text.center").Text(),
+ )
+}