From 98caa7ea84a393f465948025e507117abc23e03f Mon Sep 17 00:00:00 2001 From: Bryan Van Deusen Date: Sun, 3 May 2026 17:24:42 -0400 Subject: [PATCH] test(server/m7-363): script-context XSS test asserts count --- web/template_test.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/web/template_test.go b/web/template_test.go index 415cdd80..e73dc500 100644 --- a/web/template_test.go +++ b/web/template_test.go @@ -62,17 +62,27 @@ func TestApplyBrandingTemplate_XSSEscape_ScriptContext(t *testing.T) { } body := string(out) + // With html/template escaping intact, the inline-script block has + // exactly one . If escaping silently regressed (e.g. someone + // swapped html/template for text/template), the AppName payload would + // inject a second one and break out of the JS-string context. + if got := strings.Count(body, ""); got != 1 { + t.Errorf("expected exactly one in body (escaping intact), got %d; body=%q", got, body) + } + + // And the JS object literal's closing `};` should still live inside + // the script block — i.e. the block didn't get truncated by the payload. scriptOpen := strings.Index(body, "") if scriptClose < 0 { - t.Fatalf("inline script block has no close; body=%s", body) + t.Fatalf("inline script block has no close; body=%q", body) } scriptBody := body[scriptOpen : scriptOpen+scriptClose] - if strings.Contains(scriptBody, "") { - t.Errorf("unescaped inside inline-script context: %s", scriptBody) + if !strings.Contains(scriptBody, "};") { + t.Errorf("inline script block truncated before object literal closed: %q", scriptBody) } }