Adds a simple unit test to ensure that bleach is running on API data (#3222)

2024-08-30 18:33:04 +00:00 · 2022-06-18 17:08:47 +10:00 · 2022-06-18 17:08:47 +10:00 · eeff6074e7
commit eeff6074e7
parent 9ba3fdf23d
1 changed files with 31 additions and 0 deletions
--- a/InvenTree/part/test_api.py
+++ b/InvenTree/part/test_api.py
@ -148,6 +148,37 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
        # There should not be any templates left at this point
        self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0)

+    def test_bleach(self):
+        """Test that the data cleaning functionality is working"""
+
+        url = reverse('api-part-category-detail', kwargs={'pk': 1})
+
+        self.patch(
+            url,
+            {
+                'description': '<img src=# onerror=alert("pwned")>',
+            },
+            expected_code=200
+        )
+
+        cat = PartCategory.objects.get(pk=1)
+
+        # Image tags have been stripped
+        self.assertEqual(cat.description, '&lt;img src=# onerror=alert("pwned")&gt;')
+
+        self.patch(
+            url,
+            {
+                'description': '<a href="www.google.com">LINK</a><script>alert("h4x0r")</script>',
+            },
+            expected_code=200,
+        )
+
+        # Tags must have been bleached out
+        cat.refresh_from_db()
+
+        self.assertEqual(cat.description, '<a href="www.google.com">LINK</a>&lt;script&gt;alert("h4x0r")&lt;/script&gt;')
+

 class PartOptionsAPITest(InvenTreeAPITestCase):
    """Tests for the various OPTIONS endpoints in the /part/ API.