pcandoalmeida commented on issue #9538:
URL: https://github.com/apache/airflow/issues/9538#issuecomment-665950954
Hi @joshkadis @mik-laj I've added tests:
- `test_page_site_title()`
- `test_site_title_config_when_set()`
- `test_site_title_config_when_not_set()`
To:
- `test_configuration.py`
- `test_views.py`
I wanted to get some feedback (if that's OK) on ways to test against XSS
attacks:
```
def test_page_site_title_xss_prevention(self):
xss_string = "<script>alert('Give me your credit card
number')</script>"
with conf_vars({('webserver', 'site_title'): xss_string}):
resp = self.client.get('home', follow_redirects=True)
escaped_xss_string = "<script>alert(Give me your credit
card number)</script>"
self.check_content_in_response(escaped_xss_string, resp)
```
```
def test_page_site_title_xss_prevention(self):
xss_string = "<script>alert('Give me your credit card
number')</script>"
with conf_vars({('webserver', 'site_title'): xss_string}):
resp = self.client.get(
xss_string,
follow_redirects=True,
)
self.assertEqual(resp.status_code, 404)
self.assertNotIn(xss_string,
resp.data.decode("utf-8"))
```
Both tests pass and the latter is taken from another XSS test. I am hoping
this checks for the correct logic. If OK, I can start raising the PR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
