diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2018-08-31 03:34:56 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2018-08-31 03:34:56 +0000 |
| commit | e7871ed05e9ebc8e2fe2f1afe966285e767c682f (patch) | |
| tree | 9aedb7c69b4d3c0d7b14901c359654c10f7c8f3a /test | |
| parent | 6aa65b68b82c8ad7f6246dc5ccf1ac7673ce3e22 (diff) | |
| download | pleroma-e7871ed05e9ebc8e2fe2f1afe966285e767c682f.tar.gz | |
tests: add tests for evil HTML filtering
Diffstat (limited to 'test')
| -rw-r--r-- | test/web/common_api/common_api_test.exs | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/test/web/common_api/common_api_test.exs b/test/web/common_api/common_api_test.exs index 2a2c40833..cd5aca961 100644 --- a/test/web/common_api/common_api_test.exs +++ b/test/web/common_api/common_api_test.exs @@ -21,4 +21,36 @@ defmodule Pleroma.Web.CommonAPI.Test do assert karjalanpiirakka["name"] == ":karjalanpiirakka:" end + + describe "posting" do + test "it filters out obviously bad tags when accepting a post as HTML" do + user = insert(:user) + + post = "<h1>2hu</h1><script>alert('xss')</script>" + + {:ok, activity} = + CommonAPI.post(user, %{ + "status" => post, + "content_type" => "text/html" + }) + + content = activity.data["object"]["content"] + assert content == "<h1>2hu</h1>alert('xss')" + end + + test "it filters out obviously bad tags when accepting a post as Markdown" do + user = insert(:user) + + post = "<h1>2hu</h1><script>alert('xss')</script>" + + {:ok, activity} = + CommonAPI.post(user, %{ + "status" => post, + "content_type" => "text/markdown" + }) + + content = activity.data["object"]["content"] + assert content == "<h1>2hu</h1>alert('xss')" + end + end end |