diff options
| author | Jocelyn Delalande <jocelyn@crapouillou.net> | 2017-02-22 00:31:52 +0100 |
|---|---|---|
| committer | Jocelyn Delalande <jocelyn@crapouillou.net> | 2017-02-22 00:31:52 +0100 |
| commit | 8c412b391f9402f3840728ad1e6b8043e4ed8b7b (patch) | |
| tree | e5c0cc7c53f4b5a4c56698b35eb19706ed02dc25 | |
| parent | 38d4534c69fed139b2d0cc8e9eba5cfe5e7e3925 (diff) | |
| download | ihatemoney-mirror-8c412b391f9402f3840728ad1e6b8043e4ed8b7b.zip ihatemoney-mirror-8c412b391f9402f3840728ad1e6b8043e4ed8b7b.tar.gz ihatemoney-mirror-8c412b391f9402f3840728ad1e6b8043e4ed8b7b.tar.bz2 | |
Add non-regression test for member name XSS
ref #173
| -rw-r--r-- | budget/tests.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/budget/tests.py b/budget/tests.py index 2ee3d81..c650c80 100644 --- a/budget/tests.py +++ b/budget/tests.py @@ -911,6 +911,18 @@ class APITestCase(TestCase): headers=self.get_auth("raclette")) self.assertStatus(404, req) + def test_username_xss(self): + # create a project + #self.api_create("raclette") + self.post_project("raclette") + self.login("raclette") + + # add members + self.api_add_member("raclette", "<script>") + + result = self.app.get('/raclette/') + self.assertNotIn("<script>", result.data) + def test_weighted_bills(self): # create a project self.api_create("raclette") |