Fix XSS attacks as reported by Tim Wintle

author: Ian Bicking <ianb@colorstudy.com> 2010-06-15 12:30:05 -0500
committer: Ian Bicking <ianb@colorstudy.com> 2010-06-15 12:30:05 -0500
commit: bde24c75563bee1f86eec96ec2bd9adac5b71e29 (patch)
tree: f9218976db1cfeccafb04a91fa75864aa2b7de2e /tests
parent: 15e51654e469e87a6974e46969e8ec1295937f96 (diff)
download: paste-bde24c75563bee1f86eec96ec2bd9adac5b71e29.tar.gz
2 files changed, 13 insertions, 1 deletions
diff --git a/tests/test_urlmap.py b/tests/test_urlmap.py
index 1f7fd2a..60b66eb 100644
--- a/tests/test_urlmap.py
+++ b/tests/test_urlmap.py
@@ -39,4 +39,9 @@ def test_map():
     res.mustcontain('script_name="/f"')
     res.mustcontain('path_info="/z/y"')
     res.mustcontain('f-only')
-    
+
+def test_404():
+    mapper = URLMap({})
+    app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'})
+    res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
+    assert '--><script' not in res.body
diff --git a/tests/test_urlparser.py b/tests/test_urlparser.py
index 6f9d200..790535d 100644
--- a/tests/test_urlparser.py
+++ b/tests/test_urlparser.py
@@ -106,6 +106,13 @@ def test_relative_path_in_static_parser():
     app = StaticURLParser(relative_path('find_file'))
     assert '..' not in app.root_directory
 
+def test_xss():
+    app = TestApp(StaticURLParser(relative_path('find_file')),
+                  extra_environ={'HTTP_ACCEPT': 'text/html'})
+    res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
+    print res
+    assert 0
+
 def test_static_parser():
     app = StaticURLParser(path('find_file'))
     testapp = TestApp(app)
author	Ian Bicking <ianb@colorstudy.com>	2010-06-15 12:30:05 -0500
committer	Ian Bicking <ianb@colorstudy.com>	2010-06-15 12:30:05 -0500
commit	bde24c75563bee1f86eec96ec2bd9adac5b71e29 (patch)
tree	f9218976db1cfeccafb04a91fa75864aa2b7de2e /tests
parent	15e51654e469e87a6974e46969e8ec1295937f96 (diff)
download	paste-bde24c75563bee1f86eec96ec2bd9adac5b71e29.tar.gz