blob: 58c9d2601f8da825c163d4f2aaeae7daf46d423d [file] [log] [blame]
# Copyright 2010 the Melange authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests XSS in errors on the mentor sign-up page."""
from django.utils import html
from seeder import user as user_seeder
from tests import profile_utils
from tests import test_utils
# leading "> is used to terminate <input> element
XSS_PAYLOAD = '"><script>alert("Hello")</script>'
class ProfileXSSTest(object):
"""Tests sanitization of user-given strings at mentor sign-up.
This mixin class is abstract and must be co-inherited with (exactly
one of) GCIDjangoTestCase or GSoCDjangoTestCase.
"""
def setUp(self):
"""See unittest.TestCase.setUp for specification."""
self.init()
self.timeline_helper.studentSignup()
def testSanitization(self):
"""Tests that potentially malicious user input is sanitized properly."""
user = user_seeder.seedUser()
profile_utils.loginNDB(user)
url = '/%(program_type)s/profile/register/org_member/%(program_key)s' % {
'program_type': self.programType(),
'program_key': self.program.key().name(),
}
postdata = {
'public_name': XSS_PAYLOAD,
'first_name': XSS_PAYLOAD,
'last_name': XSS_PAYLOAD,
'email': XSS_PAYLOAD,
'phone': XSS_PAYLOAD,
'residential_street': XSS_PAYLOAD,
'residential_city': XSS_PAYLOAD,
'residential_province': XSS_PAYLOAD,
'residential_country': XSS_PAYLOAD,
'residential_postal_code': XSS_PAYLOAD,
'program_knowledge': XSS_PAYLOAD,
}
response = self.post(url, postdata)
self.assertNotIn(XSS_PAYLOAD, response.content)
self.assertIn(html.escape(XSS_PAYLOAD), response.content)
class GCIProfileXSSTest(ProfileXSSTest, test_utils.GCIDjangoTestCase):
pass