tests/integration/test_profile_xss.py - soc - Git at Google

 # Copyright 2010 the Melange authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 """Tests XSS in errors on the mentor sign-up page."""

 from django.utils import html

 from seeder import user as user_seeder

 from tests import profile_utils
 from tests import test_utils


 # leading "> is used to terminate <input> element
 XSS_PAYLOAD = '"><script>alert("Hello")</script>'

 class ProfileXSSTest(object):
   """Tests sanitization of user-given strings at mentor sign-up.

   This mixin class is abstract and must be co-inherited with (exactly
   one of) GCIDjangoTestCase or GSoCDjangoTestCase.
   """

   def setUp(self):
     """See unittest.TestCase.setUp for specification."""
     self.init()
     self.timeline_helper.studentSignup()

   def testSanitization(self):
     """Tests that potentially malicious user input is sanitized properly."""
     user = user_seeder.seedUser()
     profile_utils.loginNDB(user)

     url = '/%(program_type)s/profile/register/org_member/%(program_key)s' % {
         'program_type': self.programType(),
         'program_key': self.program.key().name(),
         }

     postdata = {
         'public_name': XSS_PAYLOAD,
         'first_name': XSS_PAYLOAD,
         'last_name': XSS_PAYLOAD,
         'email': XSS_PAYLOAD,
         'phone': XSS_PAYLOAD,
         'residential_street': XSS_PAYLOAD,
         'residential_city': XSS_PAYLOAD,
         'residential_province': XSS_PAYLOAD,
         'residential_country': XSS_PAYLOAD,
         'residential_postal_code': XSS_PAYLOAD,
         'program_knowledge': XSS_PAYLOAD,
     }

     response = self.post(url, postdata)
     self.assertNotIn(XSS_PAYLOAD, response.content)
     self.assertIn(html.escape(XSS_PAYLOAD), response.content)


 class GCIProfileXSSTest(ProfileXSSTest, test_utils.GCIDjangoTestCase):
   pass
	# Copyright 2010 the Melange authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	"""Tests XSS in errors on the mentor sign-up page."""

	from django.utils import html

	from seeder import user as user_seeder

	from tests import profile_utils
	from tests import test_utils


	# leading "> is used to terminate <input> element
	XSS_PAYLOAD = '"><script>alert("Hello")</script>'

	class ProfileXSSTest(object):
	"""Tests sanitization of user-given strings at mentor sign-up.

	This mixin class is abstract and must be co-inherited with (exactly
	one of) GCIDjangoTestCase or GSoCDjangoTestCase.
	"""

	def setUp(self):
	"""See unittest.TestCase.setUp for specification."""
	self.init()
	self.timeline_helper.studentSignup()

	def testSanitization(self):
	"""Tests that potentially malicious user input is sanitized properly."""
	user = user_seeder.seedUser()
	profile_utils.loginNDB(user)

	url = '/%(program_type)s/profile/register/org_member/%(program_key)s' % {
	'program_type': self.programType(),
	'program_key': self.program.key().name(),
	}

	postdata = {
	'public_name': XSS_PAYLOAD,
	'first_name': XSS_PAYLOAD,
	'last_name': XSS_PAYLOAD,
	'email': XSS_PAYLOAD,
	'phone': XSS_PAYLOAD,
	'residential_street': XSS_PAYLOAD,
	'residential_city': XSS_PAYLOAD,
	'residential_province': XSS_PAYLOAD,
	'residential_country': XSS_PAYLOAD,
	'residential_postal_code': XSS_PAYLOAD,
	'program_knowledge': XSS_PAYLOAD,
	}

	response = self.post(url, postdata)
	self.assertNotIn(XSS_PAYLOAD, response.content)
	self.assertIn(html.escape(XSS_PAYLOAD), response.content)


	class GCIProfileXSSTest(ProfileXSSTest, test_utils.GCIDjangoTestCase):
	pass