github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 01:31:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: XSS in routes

Browse Source 
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
This commit is contained in:
Gerhard Schlager
2019-06-26 16:02:55 +02:00
parent 463db22928
commit 13f38055ac
6 changed files with 237 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/javascripts/acceptance/user-test.js.es6
View File

@ -2,6 +2,30 @@ import { acceptance } from "helpers/qunit-helpers";
acceptance("User", { loggedIn: true });
QUnit.test("Invalid usernames", async assert => {
// prettier-ignore
server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
return [
404,
{ "Content-Type": "application/json" },
{
errors: ["The requested URL or resource could not be found."],
error_type: "not_found"
}
];
});
await visit("/u/eviltrout%2F..%2F..%2F/summary");
assert.equal(currentPath(), "exception-unknown");
});
QUnit.test("Unicode usernames", async assert => {
await visit("/u/%E3%83%A9%E3%82%A4%E3%82%AA%E3%83%B3/summary");
assert.equal(currentPath(), "user.summary");
});
QUnit.test("Invites", async assert => {
await visit("/u/eviltrout/invited/pending");
assert.ok($("body.user-invites-page").length, "has the body class");