inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-05-03 22:08:49 +00:00
Code

Adds a simple unit test to ensure that bleach is running on API data (#3222)

Browse Source
This commit is contained in:
Oliver 2022-06-18 17:08:47 +10:00 committed by GitHub
parent 9ba3fdf23d
commit eeff6074e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
InvenTree/part/test_api.py
View File

@ -148,6 +148,37 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
# There should not be any templates left at this point # There should not be any templates left at this point
self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0) self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0)
def test_bleach(self):
"""Test that the data cleaning functionality is working"""
url = reverse('api-part-category-detail', kwargs={'pk': 1})
self.patch(
url,
{
'description': '<img src=# onerror=alert("pwned")>',
},
expected_code=200
)
cat = PartCategory.objects.get(pk=1)
# Image tags have been stripped
self.assertEqual(cat.description, '&lt;img src=# onerror=alert("pwned")&gt;')
self.patch(
url,
{
'description': '<a href="www.google.com">LINK</a><script>alert("h4x0r")</script>',
},
expected_code=200,
)
# Tags must have been bleached out
cat.refresh_from_db()
self.assertEqual(cat.description, '<a href="www.google.com">LINK</a>&lt;script&gt;alert("h4x0r")&lt;/script&gt;')
class PartOptionsAPITest(InvenTreeAPITestCase): class PartOptionsAPITest(InvenTreeAPITestCase):
"""Tests for the various OPTIONS endpoints in the /part/ API. """Tests for the various OPTIONS endpoints in the /part/ API.