Test switch that disable markdown for the whole app

closes #179

Test switch that disable markdown for the whole app
539d2bd8 · Bryan BRANCOTTE · 1373f0a2 · 539d2bd8 · 539d2bd8
Commit 539d2bd8 authored 4 months ago by Bryan BRANCOTTE
--- a/src/strass/strass_app/tests/test_views_candidate.py
+++ b/src/strass/strass_app/tests/test_views_candidate.py
@@ -395,6 +395,25 @@ class ViewsTestCase(BaseTestCase):
        self.assertIn("<script", content_str, "check page will still work")
        self.assertIn(expected_html, content_str, "check markdown still work")

+    def test_candidate_html_injection_with_markdown_killed(self):
+        live_settings.markdown_enabled = False
+        injection_script = '<script>window.alter("HTML INJECTION!")</script>'
+        str_part = 'hello world'
+        ok_md = '\n\n## ' + str_part
+        expected_html = '<h2>' + str_part
+
+        candidate = self.candidate_with_account.get_associated_candidate()
+        candidate.motivation = f"foobar {injection_script} zoorrr {ok_md} tt"
+        candidate.save()
+        url = reverse('strass:candidate-detail-me')
+        self.client.force_login(self.candidate_with_account)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        content_str = str(response.content)
+        self.assertNotIn(injection_script, content_str, "script injection should be prevented")
+        self.assertIn("<script", content_str, "check page will still work")
+        self.assertNotIn(expected_html, content_str, "check markdown is killed")
+

 class ViewsTooledTestCase(TooledTestCase):
    def test_delete_user(self):

--- a/src/strass/strass_app/tests/test_views_others.py
+++ b/src/strass/strass_app/tests/test_views_others.py
@@ -573,6 +573,25 @@ class OtherWithDataTestCase(BaseTestCase):
        self.assertIn(img_tag_from_md, content_str, "<img should produced after ![image]")
        self.assertNotIn(script_tag, content_str, "<script should still be prevented")

+    def test_call_markdown_killed(self):
+        live_settings.markdown_enabled = False
+        h2_str = "hello world"
+        h2_html = '<h2>' + h2_str
+        img_tag = '<img src="foo.bar"/>'
+        img_tag_md = '![image](daa.too)'
+        img_tag_from_md = markdown(img_tag_md)
+        script_tag = '<script foo="bar>'
+        models.CallContent.objects.update(content=f'## {h2_str}\n\n{img_tag}\n\n{script_tag}\n\n{img_tag_md}')
+        url = reverse('home')
+        #######################################################################
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        content_str = str(response.content)
+        self.assertNotIn(h2_html, content_str, "an h2 should not be rendered as markdown is killed")
+        self.assertNotIn(img_tag, content_str, "<img is not allowed yet")
+        self.assertNotIn(img_tag_from_md, content_str, "<img should NOT be produced as markdown is killed")
+        self.assertNotIn(script_tag, content_str, "<script should still be prevented")
+
    def test_autocomplete_email(self):
        u = reverse('strass:autocomplete-mail-view')
        urls = [u, u + '?term=ada']