frontend: add tests against XSS

frontend/render_test.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"io/ioutil"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+func initSettings() {
+	setting.servers = []string{"alpha"}
+	setting.titleBrand = "Bird-lg Go"
+	setting.navBarBrand = "Bird-lg Go"
+
+	ImportTemplates()
+}
+
+func TestRenderPageTemplate(t *testing.T) {
+	initSettings()
+
+	title := "Test Title"
+	content := "Test Content"
+
+	r := httptest.NewRequest("GET", "/route/alpha/192.168.0.1/", nil)
+	w := httptest.NewRecorder()
+	renderPageTemplate(w, r, title, content)
+
+	resultBytes, _ := ioutil.ReadAll(w.Result().Body)
+	result := string(resultBytes)
+
+	if !strings.Contains(result, title) {
+		t.Error("Title not found in output")
+	}
+	if !strings.Contains(result, content) {
+		t.Error("Content not found in output")
+	}
+}
+
+func TestRenderPageTemplateXSS(t *testing.T) {
+	initSettings()
+
+	evil := "<script>alert('evil');</script>"
+
+	r := httptest.NewRequest("GET", "/whois/"+url.PathEscape(evil), nil)
+	w := httptest.NewRecorder()
+
+	// renderPageTemplate doesn't escape content, filter is done beforehand
+	renderPageTemplate(w, r, evil, "Test Content")
+
+	resultBytes, _ := ioutil.ReadAll(w.Result().Body)
+	result := string(resultBytes)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}
+
+func TestSmartFormatterXSS(t *testing.T) {
+	evil := "<script>alert('evil');</script>"
+	result := smartFormatter(evil)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}
+
+func TestSummaryTableXSS(t *testing.T) {
+	evil := "<script>alert('evil');</script>"
+	evilData := `Name       Proto      Table      State  Since         Info
+` + evil + ` ` + evil + `       ---        up     2021-01-04 17:21:44  ` + evil
+
+	result := summaryTable(evilData, evil)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}