| 1 | // SPDX-License-Identifier: AGPL-3.0-or-later |
| 2 | |
| 3 | package repo |
| 4 | |
| 5 | import ( |
| 6 | "strings" |
| 7 | "testing" |
| 8 | ) |
| 9 | |
| 10 | func TestCommentEditorConfigJSONEscapesScriptBreakout(t *testing.T) { |
| 11 | t.Parallel() |
| 12 | |
| 13 | got := string(commentEditorConfigJSON(commentEditorConfig{ |
| 14 | Mentions: []commentEditorMention{{ |
| 15 | Username: "alice", |
| 16 | DisplayName: `</script><script>alert(1)</script>`, |
| 17 | }}, |
| 18 | })) |
| 19 | |
| 20 | if strings.Contains(got, "</script>") { |
| 21 | t.Fatalf("config JSON contains raw script terminator: %s", got) |
| 22 | } |
| 23 | if !strings.Contains(got, `\u003c/script\u003e`) { |
| 24 | t.Fatalf("config JSON did not preserve escaped display name: %s", got) |
| 25 | } |
| 26 | } |
| 27 | |
| 28 | func TestCommentEditorAvatarURLPathEscapesUsername(t *testing.T) { |
| 29 | t.Parallel() |
| 30 | |
| 31 | got := commentEditorAvatarURL("team/user") |
| 32 | if got != "/avatars/team%2Fuser" { |
| 33 | t.Fatalf("avatar URL = %q, want escaped path segment", got) |
| 34 | } |
| 35 | } |
| 36 |