Skip to content

Commit 8a049f1

Browse files
GUIGUI
committed
Fix HTML escaping tests for newer Chromium behavior.
The new behavior actually makes the Chromium and Selenium test behavior more intuitive, so the Selenium tests don't look like they actually contained unescaped values, like before (even though they were escaped).
1 parent 3dfb98f commit 8a049f1

File tree

1 file changed

+9
-5
lines changed

1 file changed

+9
-5
lines changed

test/admin_ui/test_flash_messages_html_safety.rb

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,10 @@ def after_all
4343
# Selenium tests may return "page.body" with some HTML entities already
4444
# un-encoded, which makes it trickier to verify the HTML escaping that's
4545
# going on.
46+
#
47+
# Newer versions of Chromium now seems to return things to Selenium escaped,
48+
# somewhat reducing the need for this separate non-Selenium test, but we'll
49+
# keep it as an extra sanity check.
4650
def test_raw_html
4751
data = MultiJson.dump({
4852
"id_token" => {
@@ -84,7 +88,7 @@ def test_unverified_html_message
8488

8589
mock_userinfo(data) do
8690
assert_login_forbidden("Sign in with Google", "not verified")
87-
assert_match("The email address 'unverified@example.com' is not verified. Please <a href=\"https://example.com/contact/?q='&quot;><script>alert('hello')</script>\">contact us</a> for further assistance.", page.body)
91+
assert_match("The email address 'unverified@example.com' is not verified. Please <a href=\"https://example.com/contact/?q='&quot;&gt;&lt;script&gt;alert('hello')&lt;/script&gt;\">contact us</a> for further assistance.", page.body)
8892
end
8993
end
9094

@@ -98,7 +102,7 @@ def test_unverified_html_message_with_xss_email
98102

99103
mock_userinfo(data) do
100104
assert_login_forbidden("Sign in with Google", "not verified")
101-
assert_match("The email address ''\"&gt;&lt;script&gt;alert('hello')&lt;/script&gt;' is not verified. Please <a href=\"https://example.com/contact/?q='&quot;><script>alert('hello')</script>\">contact us</a> for further assistance.", page.body)
105+
assert_match("The email address ''\"&gt;&lt;script&gt;alert('hello')&lt;/script&gt;' is not verified. Please <a href=\"https://example.com/contact/?q='&quot;&gt;&lt;script&gt;alert('hello')&lt;/script&gt;\">contact us</a> for further assistance.", page.body)
102106
end
103107
end
104108

@@ -112,7 +116,7 @@ def test_nonexistent_html_message
112116

113117
mock_userinfo(data) do
114118
assert_login_forbidden("Sign in with Google", "not authorized")
115-
assert_match("The account for 'noadmin@example.com' is not authorized to access the admin. Please <a href=\"https://example.com/contact/?q='&quot;><script>alert('hello')</script>\">contact us</a> for further assistance.", page.body)
119+
assert_match("The account for 'noadmin@example.com' is not authorized to access the admin. Please <a href=\"https://example.com/contact/?q='&quot;&gt;&lt;script&gt;alert('hello')&lt;/script&gt;\">contact us</a> for further assistance.", page.body)
116120
end
117121
end
118122

@@ -126,7 +130,7 @@ def test_nonexistent_html_message_with_xss_email
126130

127131
mock_userinfo(data) do
128132
assert_login_forbidden("Sign in with Google", "not authorized")
129-
assert_match("The account for ''\"&gt;&lt;script&gt;alert('hello')&lt;/script&gt;' is not authorized to access the admin. Please <a href=\"https://example.com/contact/?q='&quot;><script>alert('hello')</script>\">contact us</a> for further assistance.", page.body)
133+
assert_match("The account for ''\"&gt;&lt;script&gt;alert('hello')&lt;/script&gt;' is not authorized to access the admin. Please <a href=\"https://example.com/contact/?q='&quot;&gt;&lt;script&gt;alert('hello')&lt;/script&gt;\">contact us</a> for further assistance.", page.body)
130134
end
131135
end
132136

@@ -144,7 +148,7 @@ def test_mfa_required_html_message
144148

145149
mock_userinfo(data) do
146150
assert_login_forbidden("Sign in with MAX.gov", "must use multi-factor")
147-
assert_match("You must use multi-factor authentication to sign in. Please try again, or <a href=\"https://example.com/contact/?q='&quot;><script>alert('hello')</script>\">contact us</a> for further assistance.", page.body)
151+
assert_match("You must use multi-factor authentication to sign in. Please try again, or <a href=\"https://example.com/contact/?q='&quot;&gt;&lt;script&gt;alert('hello')&lt;/script&gt;\">contact us</a> for further assistance.", page.body)
148152
end
149153
end
150154

0 commit comments

Comments
 (0)