diff options
author | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
---|---|---|
committer | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
commit | bde24c75563bee1f86eec96ec2bd9adac5b71e29 (patch) | |
tree | f9218976db1cfeccafb04a91fa75864aa2b7de2e /tests | |
parent | 15e51654e469e87a6974e46969e8ec1295937f96 (diff) | |
download | paste-bde24c75563bee1f86eec96ec2bd9adac5b71e29.tar.gz |
Fix XSS attacks as reported by Tim Wintle
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_urlmap.py | 7 | ||||
-rw-r--r-- | tests/test_urlparser.py | 7 |
2 files changed, 13 insertions, 1 deletions
diff --git a/tests/test_urlmap.py b/tests/test_urlmap.py index 1f7fd2a..60b66eb 100644 --- a/tests/test_urlmap.py +++ b/tests/test_urlmap.py @@ -39,4 +39,9 @@ def test_map(): res.mustcontain('script_name="/f"') res.mustcontain('path_info="/z/y"') res.mustcontain('f-only') - + +def test_404(): + mapper = URLMap({}) + app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'}) + res = app.get("/-->%0D<script>alert('xss')</script>", status=404) + assert '--><script' not in res.body diff --git a/tests/test_urlparser.py b/tests/test_urlparser.py index 6f9d200..790535d 100644 --- a/tests/test_urlparser.py +++ b/tests/test_urlparser.py @@ -106,6 +106,13 @@ def test_relative_path_in_static_parser(): app = StaticURLParser(relative_path('find_file')) assert '..' not in app.root_directory +def test_xss(): + app = TestApp(StaticURLParser(relative_path('find_file')), + extra_environ={'HTTP_ACCEPT': 'text/html'}) + res = app.get("/-->%0D<script>alert('xss')</script>", status=404) + print res + assert 0 + def test_static_parser(): app = StaticURLParser(path('find_file')) testapp = TestApp(app) |