marcel/linkding
1
0
Fork 0
mirror of https://github.com/sissbruecker/linkding.git synced 2025-08-08 19:28:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Properly encode search query param (#587)

Browse Source
This commit is contained in:
Sascha Ißbrücker
2023-12-08 21:53:54 +01:00
committed by GitHub
parent 227cfdb063
commit 6355d8dff1
4 changed files with 89 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
bookmarks/tests/test_bookmark_shared_view.py
View File

@@ -500,3 +500,35 @@ class BookmarkSharedViewTestCase(TestCase, BookmarkFactoryMixin, HtmlTestMixin):
self.assertEqual(actions_form.attrs['action'],
'/bookmarks/shared/action?q=%23foo&return_url=%2Fbookmarks%2Fshared%3Fq%3D%2523foo')
def test_encode_search_params(self):
self.authenticate()
user = self.get_or_create_test_user()
user.profile.enable_sharing = True
user.profile.save()
bookmark = self.setup_bookmark(description='alert(\'xss\')', shared=True)
url = reverse('bookmarks:shared') + '?q=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')
self.assertContains(response, bookmark.url)
url = reverse('bookmarks:shared') + '?sort=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')
url = reverse('bookmarks:shared') + '?unread=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')
url = reverse('bookmarks:shared') + '?shared=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')
url = reverse('bookmarks:shared') + '?user=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')
url = reverse('bookmarks:shared') + '?page=alert(%27xss%27)'
response = self.client.get(url)
self.assertNotContains(response, 'alert(\'xss\')')