add test for escaping html entities, when using the error page template

Author: wayneforrest

apps/internal/local/server_test.go

@@ -21,15 +21,16 @@ func TestServer(t *testing.T) {
 	defer cancel()
 
 	tests := []struct {
-		desc         string
-		reqState     string
-		port         int
-		q            url.Values
-		failPage     bool
-		statusCode   int
-		successPage  []byte
-		errorPage    []byte
-		testTemplate bool
+		desc              string
+		reqState          string
+		port              int
+		q                 url.Values
+		failPage          bool
+		statusCode        int
+		successPage       []byte
+		errorPage         []byte
+		testTemplate      bool
+		testHTMLInjection bool
 	}{
 		{
 			desc:       "Error: Query Values has 'error' key",
@@ -111,6 +112,15 @@ func TestServer(t *testing.T) {
 			statusCode:   200,
 			testTemplate: true,
 		},
+		{
+			desc:              "Error: Query Values missing 'state' key, using default fail error page - XSS test",
+			reqState:          "state",
+			port:              0,
+			q:                 url.Values{"error": []string{"<script>alert('this code snippet was executed')</script>"}, "error_description": []string{"error_description"}},
+			statusCode:        200,
+			testTemplate:      true,
+			testHTMLInjection: true,
+		},
 	}
 
 	for _, test := range tests {
@@ -185,6 +195,13 @@ func TestServer(t *testing.T) {
 		}
 
 		if test.testTemplate {
+			if test.testHTMLInjection {
+				if !strings.Contains(string(content), "&lt;script&gt;alert(&#39;this code snippet was executed&#39;)&lt;/script&gt;") {
+					t.Errorf("TestServer(%s): want escaped html entities", test.desc)
+				}
+				continue
+			}
+
 			if len(test.errorPage) > 0 {
 				errCode := bytes.Contains(test.errorPage, []byte("{{.Code}}"))
 				errDescription := bytes.Contains(test.errorPage, []byte("{{.Err}}"))