test(server/m7-363): script-context XSS test asserts </script> count

This commit is contained in:
2026-05-03 17:24:42 -04:00
parent 004d935512
commit 98caa7ea84
+14 -4
View File
@@ -62,17 +62,27 @@ func TestApplyBrandingTemplate_XSSEscape_ScriptContext(t *testing.T) {
} }
body := string(out) body := string(out)
// With html/template escaping intact, the inline-script block has
// exactly one </script>. If escaping silently regressed (e.g. someone
// swapped html/template for text/template), the AppName payload would
// inject a second one and break out of the JS-string context.
if got := strings.Count(body, "</script>"); got != 1 {
t.Errorf("expected exactly one </script> in body (escaping intact), got %d; body=%q", got, body)
}
// And the JS object literal's closing `};` should still live inside
// the script block — i.e. the block didn't get truncated by the payload.
scriptOpen := strings.Index(body, "<script>window.__MINSTREL__") scriptOpen := strings.Index(body, "<script>window.__MINSTREL__")
if scriptOpen < 0 { if scriptOpen < 0 {
t.Fatalf("inline script block missing; body=%s", body) t.Fatalf("inline script block missing; body=%q", body)
} }
scriptClose := strings.Index(body[scriptOpen:], "</script>") scriptClose := strings.Index(body[scriptOpen:], "</script>")
if scriptClose < 0 { if scriptClose < 0 {
t.Fatalf("inline script block has no close; body=%s", body) t.Fatalf("inline script block has no close; body=%q", body)
} }
scriptBody := body[scriptOpen : scriptOpen+scriptClose] scriptBody := body[scriptOpen : scriptOpen+scriptClose]
if strings.Contains(scriptBody, "</script>") { if !strings.Contains(scriptBody, "};") {
t.Errorf("unescaped </script> inside inline-script context: %s", scriptBody) t.Errorf("inline script block truncated before object literal closed: %q", scriptBody)
} }
} }