mirror of
https://github.com/juanfont/headscale.git
synced 2026-05-21 09:51:09 +09:00
010a5564c5
Reword comments, one doc paragraph, and one test failure message so the prose reads naturally. No behaviour change.
27 lines
639 B
Go
27 lines
639 B
Go
package templates
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// TestPingPageEscapesQuery asserts hostile query values cannot break out of
|
|
// the input's value attribute. elem-go does not escape attribute values, so
|
|
// the template must escape before rendering.
|
|
func TestPingPageEscapesQuery(t *testing.T) {
|
|
payloads := []string{
|
|
`" autofocus onfocus=alert(1) x="`,
|
|
`"><script>alert(1)</script>`,
|
|
`<img src=x onerror=alert(1)>`,
|
|
}
|
|
|
|
for _, p := range payloads {
|
|
t.Run(p, func(t *testing.T) {
|
|
out := PingPage(p, nil, nil).Render()
|
|
if strings.Contains(out, p) {
|
|
t.Fatalf("payload rendered without escaping: %q", p)
|
|
}
|
|
})
|
|
}
|
|
}
|