2026-06-02 23:17:51 +02:00
|
|
|
from tests.conftest import BASE_URL
|
|
|
|
|
from tests.test_post import create_post
|
|
|
|
|
|
|
|
|
|
POST_PAYLOAD = "XSSPROBE <img src=x onerror=alert('p')><script>alert('s')</script> end of post"
|
|
|
|
|
COMMENT_PAYLOAD = "CMTPROBE <img src=x onerror=alert('c')><script>alert('s')</script> end of comment"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_post_content_is_sanitized(alice):
|
|
|
|
|
page, _ = alice
|
|
|
|
|
fired = []
|
|
|
|
|
page.on("dialog", lambda d: (fired.append(d.message), d.dismiss()))
|
|
|
|
|
create_post(page, "random", POST_PAYLOAD)
|
|
|
|
|
content = page.locator(".post-detail-content")
|
|
|
|
|
content.wait_for(state="visible")
|
|
|
|
|
page.locator(".post-detail-content p").first.wait_for(state="visible")
|
|
|
|
|
html = content.inner_html().lower()
|
|
|
|
|
assert "<script" not in html
|
2026-06-05 05:36:18 +02:00
|
|
|
assert "<img" not in html
|
2026-06-02 23:17:51 +02:00
|
|
|
assert not fired, f"XSS payload executed: {fired}"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_comment_content_is_sanitized(alice):
|
|
|
|
|
page, _ = alice
|
|
|
|
|
fired = []
|
|
|
|
|
page.on("dialog", lambda d: (fired.append(d.message), d.dismiss()))
|
|
|
|
|
create_post(page, "random", "Clean host post for comment sanitization")
|
|
|
|
|
page.locator(".comment-form textarea[name='content']").fill(COMMENT_PAYLOAD)
|
|
|
|
|
page.locator(".comment-form button:has-text('Post')").click()
|
|
|
|
|
comment = page.locator(".comment-text:has-text('CMTPROBE')")
|
|
|
|
|
comment.wait_for(state="visible")
|
|
|
|
|
page.locator(".comment-text p").first.wait_for(state="visible")
|
|
|
|
|
html = comment.inner_html().lower()
|
|
|
|
|
assert "<script" not in html
|
2026-06-05 05:36:18 +02:00
|
|
|
assert "<img" not in html
|
2026-06-02 23:17:51 +02:00
|
|
|
assert not fired, f"XSS payload executed: {fired}"
|
