From 77ec41bb6f542077503106cacc1dbd28118c50b4 Mon Sep 17 00:00:00 2001 From: Felix Hammerl Date: Wed, 24 Feb 2016 10:13:25 +0100 Subject: Issue #617: Sanitize received content Sanitizes received HTML content with DOMPurify, making it safe for displaying and templating. Sanitizes received plain text content by encoding every single character as HTML entity. --- web-ui/test/spec/helpers/sanitizer.spec.js | 49 ++++++++++++++++++++++++++++ web-ui/test/spec/helpers/view_helper.spec.js | 7 ---- 2 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 web-ui/test/spec/helpers/sanitizer.spec.js (limited to 'web-ui/test/spec/helpers') diff --git a/web-ui/test/spec/helpers/sanitizer.spec.js b/web-ui/test/spec/helpers/sanitizer.spec.js new file mode 100644 index 00000000..acd4b2b2 --- /dev/null +++ b/web-ui/test/spec/helpers/sanitizer.spec.js @@ -0,0 +1,49 @@ +define(['helpers/sanitizer'], function (sanitizer) { + 'use strict'; + + describe('sanitizer', function () { + + describe('sanitizer.addLineBreaks', function () { + it('should add line breaks', function () { + var expectedOutput = 'foo
bar'; + var output = sanitizer.addLineBreaks('foo\nbar'); + expect(output).toEqual(expectedOutput); + }); + }); + + describe('sanitizer.purifyHtml', function () { + it('should fire up DOMPurify', function () { + var expectedOutput = '123I am a dolphin!'; + var output = sanitizer.purifyHtml('123I am a dolphin!'); + expect(output).toEqual(expectedOutput); + }); + }); + + describe('sanitizer.purifyText', function () { + it('should escape HTML', function () { + var expectedOutput = '123<a>asd</a>'; + var output = sanitizer.purifyText('123asd'); + expect(output).toEqual(expectedOutput); + }); + }); + + describe('sanitizer.sanitize', function () { + it('should sanitize a plaintext mail', function () { + var expectedOutput = '123<a>asd</a>'; + var output = sanitizer.sanitize({ + textPlainBody: '123asd' + }); + expect(output).toEqual(expectedOutput); + }); + + it('should sanitize an html mail', function () { + var expectedOutput = '
123I am a dolphin!foobar
'; + var output = sanitizer.sanitize({ + htmlBody: '
123I am a dolphin!foobar
' + }); + expect(output).toEqual(expectedOutput); + }); + }); + + }); +}); diff --git a/web-ui/test/spec/helpers/view_helper.spec.js b/web-ui/test/spec/helpers/view_helper.spec.js index 92a31a1f..b2f597c2 100644 --- a/web-ui/test/spec/helpers/view_helper.spec.js +++ b/web-ui/test/spec/helpers/view_helper.spec.js @@ -90,13 +90,6 @@ define(['helpers/view_helper'], function (viewHelper) { }); }); - it('each line of plain text mail gets a new paragraph', function () { - var formattedMail = $('
'); - formattedMail.html(viewHelper.formatMailBody(testData.parsedMail.simpleTextPlain)); - expect(formattedMail).toContainHtml('
Hello Everyone
'); - }); - - it('escape html in plain text body', function () { var formattedMail = $('
'); var mail = testData.parsedMail.simpleTextPlain; -- cgit v1.2.3 From 9573bdca55ddc5488066d3af525e41ed1d872ea6 Mon Sep 17 00:00:00 2001 From: NavaL Date: Wed, 24 Feb 2016 16:33:20 +0100 Subject: Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612 --- web-ui/test/spec/helpers/browser.spec.js | 12 +++++++++++ .../test/spec/helpers/monitored_ajax_call.spec.js | 24 +++++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 web-ui/test/spec/helpers/browser.spec.js (limited to 'web-ui/test/spec/helpers') diff --git a/web-ui/test/spec/helpers/browser.spec.js b/web-ui/test/spec/helpers/browser.spec.js new file mode 100644 index 00000000..5b740da8 --- /dev/null +++ b/web-ui/test/spec/helpers/browser.spec.js @@ -0,0 +1,12 @@ +define(['helpers/browser'], function (browser) { + 'use strict'; + + describe('browser ', function() { + it('gets cookie', function() { + document.cookie = 'TWISTED_SESSION=ff895ffc45a4ce140bfc5dda6c61d232; i18next=en-us'; + expect(browser.getCookie('TWISTED_SESSION')).toEqual('ff895ffc45a4ce140bfc5dda6c61d232'); + expect(browser.getCookie('i18next')).toEqual('en-us'); + }); + + }); +}); diff --git a/web-ui/test/spec/helpers/monitored_ajax_call.spec.js b/web-ui/test/spec/helpers/monitored_ajax_call.spec.js index 972ca3ae..c0d55198 100644 --- a/web-ui/test/spec/helpers/monitored_ajax_call.spec.js +++ b/web-ui/test/spec/helpers/monitored_ajax_call.spec.js @@ -1,6 +1,24 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { 'use strict'; describe('monitoredAjaxCall', function () { + + describe('default configs', function () { + + it('should always attach the xsrf token in the header', function () { + var component = { trigger: function () {}}; + var d = $.Deferred(); + spyOn($, 'ajax').and.returnValue(d); + document.cookie = 'XSRF-TOKEN=ff895ffc45a4ce140bfc5dda6c61d232; i18next=en-us'; + var anyUrl = '/'; + + monitoredAjax(component, anyUrl, {}); + + expect($.ajax.calls.mostRecent().args[1].headers).toEqual({ 'X-XSRF-TOKEN' : 'ff895ffc45a4ce140bfc5dda6c61d232' }); + + }); + + }); + describe('when dealing with errors', function () { _.each( @@ -19,7 +37,7 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { d.reject({ responseJSON: {}}, errorType, ''); expect(component.trigger).toHaveBeenCalledWith(document, Pixelated.events.ui.userAlerts.displayMessage, - { message: errorMessage }); + { message: errorMessage, class: 'error' }); }); }); @@ -33,7 +51,7 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { d.reject({ responseJSON: { message: 'Server Message'}}, 'error', ''); expect(component.trigger).toHaveBeenCalledWith(document, Pixelated.events.ui.userAlerts.displayMessage, - { message: 'Server Message' }); + { message: 'Server Message', class: 'error' }); }); }); @@ -76,4 +94,4 @@ define(['helpers/monitored_ajax'], function (monitoredAjax) { }); }); -}); \ No newline at end of file +}); -- cgit v1.2.3