Added tests to trigger the xss attack (and fail initially)

2025-09-07 17:46:44 +02:00 · 2021-03-11 19:51:05 +01:00
parent 7472a8ebc7
commit 4395a5f404
2 changed files with 90 additions and 4 deletions
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -13,9 +13,25 @@ describe('XSS', () => {
      cy.get('.mermaid').should('exist');
    });
    cy.get('svg')
-    // cy.percySnapshot()
+  })
+
+  it('should not allow tags in the css', () => {
+    const str = 'eyJjb2RlIjoiJSV7aW5pdDogeyAnZm9udEZhbWlseSc6ICdcXFwiPjwvc3R5bGU-PGltZyBzcmM9eCBvbmVycm9yPXhzc0F0dGFjaygpPid9IH0lJVxuZ3JhcGggTFJcbiAgICAgQSAtLT4gQiIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9';
+
+    const url = mermaidUrl(str,{
+      "theme": "default",
+      "flowchart": {
+        "htmlMode": false
+      }
+    }, true);
+
+    cy.visit(url);
+    cy.wait(1000).then(()=>{
+      cy.get('#the-malware').should('not.exist');
+    });

  })
+
  it('should handle xss in tags in non-html mode', () => {
    const str = 'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX19';

@@ -27,9 +43,16 @@ describe('XSS', () => {
    }, true);

    cy.visit(url);
-    // cy.get('svg')
-    // cy.percySnapshot()
-    cy.get('.malware').should('not.exist');
+    cy.wait(1000)
+
+    cy.get('#the-malware').should('not.exist');
+  })
+
+  it('should not allow changing the __proto__ attribute using config', () => {
+    cy.visit('http://localhost:9000/xss2.html');
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');

  })
+
 })