# HG changeset patch # User Marcin Kuzminski # Date 2017-06-06 11:34:22 # Node ID ac2220646acb4c616d06c9a1dd5754b23c692ba7 # Parent 73cbe636c00e44c0391db141c8b2614d4a98b028 security: fixed tests. diff --git a/rhodecode/apps/home/tests/test_home.py b/rhodecode/apps/home/tests/test_home.py --- a/rhodecode/apps/home/tests/test_home.py +++ b/rhodecode/apps/home/tests/test_home.py @@ -20,17 +20,16 @@ import pytest -from pylons import tmpl_context as c import rhodecode -from rhodecode.model.db import Repository, User +from rhodecode.model.db import Repository from rhodecode.model.meta import Session from rhodecode.model.repo import RepoModel from rhodecode.model.repo_group import RepoGroupModel from rhodecode.model.settings import SettingsModel from rhodecode.tests import TestController from rhodecode.tests.fixture import Fixture - +from rhodecode.lib import helpers as h fixture = Fixture() @@ -55,6 +54,8 @@ class TestHomeController(TestController) response.mustcontain('"name_raw": "%s"' % repo.repo_name) def test_index_contains_statics_with_ver(self): + from pylons import tmpl_context as c + self.log_user() response = self.app.get(route_path('home')) @@ -103,19 +104,15 @@ class TestHomeController(TestController) user = user_util.create_user() username = user.username user.name = '' - user.lastname = ( - '') + user.lastname = '#">' + Session().add(user) Session().commit() user_util.create_repo(owner=username) response = self.app.get(route_path('home')) - response.mustcontain( - '<img src="/image1" onload="' - 'alert('Hello, World!');">') - response.mustcontain( - '<img src="/image2" onload="' - 'alert('Hello, World!');">') + response.mustcontain(h.html_escape(h.escape(user.name))) + response.mustcontain(h.html_escape(h.escape(user.lastname))) @pytest.mark.parametrize("name, state", [ ('Disabled', False),