rhodecode-enterprise-ce Commit - r1781:ac222064

security: fixed tests.

marcink -

r1781:ac222064 default

parent child

rhodecode/apps/home/tests/test_home.py

0 +8 -11

              import pytest
-             from pylons import tmpl_context as c
              import rhodecode
-             from rhodecode.model.db import Repository, User
+             from rhodecode.model.db import Repository
              from rhodecode.model.meta import Session
              from rhodecode.model.repo import RepoModel
              from rhodecode.model.repo_group import RepoGroupModel
              from rhodecode.model.settings import SettingsModel
              from rhodecode.tests import TestController
              from rhodecode.tests.fixture import Fixture
+             from rhodecode.lib import helpers as h
              fixture = Fixture()
                          response.mustcontain('"name_raw": "%s"' % repo.repo_name)
                  def test_index_contains_statics_with_ver(self):
+                     from pylons import tmpl_context as c
                      self.log_user()
                      response = self.app.get(route_path('home'))
                      user = user_util.create_user()
                      username = user.username
                      user.name = '<img src="/image1" onload="alert(\'Hello, World!\');">'
-                     user.lastname = (
-                         '<img src="/image2" onload="alert(\'Hello, World!\');">')
+                     user.lastname = '#"><img src=x onerror=prompt(document.cookie);>'
                      Session().add(user)
                      Session().commit()
                      user_util.create_repo(owner=username)
                      response = self.app.get(route_path('home'))
-                     response.mustcontain(
-                         '&lt;img src=&#34;/image1&#34; onload=&#34;'
-                         'alert(&#39;Hello, World!&#39;);&#34;&gt;')
-                     response.mustcontain(
-                         '&lt;img src=&#34;/image2&#34; onload=&#34;'
-                         'alert(&#39;Hello, World!&#39;);&#34;&gt;')
+                     response.mustcontain(h.html_escape(h.escape(user.name)))
+                     response.mustcontain(h.html_escape(h.escape(user.lastname)))
                  @pytest.mark.parametrize("name, state", [
                      ('Disabled', False),

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages