test(server/m7-363): script-context XSS test asserts </script> count
This commit is contained in:
+14
-4
@@ -62,17 +62,27 @@ func TestApplyBrandingTemplate_XSSEscape_ScriptContext(t *testing.T) {
|
||||
}
|
||||
body := string(out)
|
||||
|
||||
// With html/template escaping intact, the inline-script block has
|
||||
// exactly one </script>. If escaping silently regressed (e.g. someone
|
||||
// swapped html/template for text/template), the AppName payload would
|
||||
// inject a second one and break out of the JS-string context.
|
||||
if got := strings.Count(body, "</script>"); got != 1 {
|
||||
t.Errorf("expected exactly one </script> in body (escaping intact), got %d; body=%q", got, body)
|
||||
}
|
||||
|
||||
// And the JS object literal's closing `};` should still live inside
|
||||
// the script block — i.e. the block didn't get truncated by the payload.
|
||||
scriptOpen := strings.Index(body, "<script>window.__MINSTREL__")
|
||||
if scriptOpen < 0 {
|
||||
t.Fatalf("inline script block missing; body=%s", body)
|
||||
t.Fatalf("inline script block missing; body=%q", body)
|
||||
}
|
||||
scriptClose := strings.Index(body[scriptOpen:], "</script>")
|
||||
if scriptClose < 0 {
|
||||
t.Fatalf("inline script block has no close; body=%s", body)
|
||||
t.Fatalf("inline script block has no close; body=%q", body)
|
||||
}
|
||||
scriptBody := body[scriptOpen : scriptOpen+scriptClose]
|
||||
if strings.Contains(scriptBody, "</script>") {
|
||||
t.Errorf("unescaped </script> inside inline-script context: %s", scriptBody)
|
||||
if !strings.Contains(scriptBody, "};") {
|
||||
t.Errorf("inline script block truncated before object literal closed: %q", scriptBody)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user