Merge branch 'features/staticfe-sanitization' into 'develop'

[akkoma] / test / web / static_fe / static_fe_controller_test.exs

diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs
index 2ce8f9fa30e7516f0d4cb199112bba201da547d2..a3be908887c3c407a7745a0095268bac99f0f93f 100644 (file)
--- a/test/web/static_fe/static_fe_controller_test.exs
+++ b/test/web/static_fe/static_fe_controller_test.exs
@@ -110,8 +110,20 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
       assert html =~ "testing a thing!"
     end
 
-    test "shows the whole thread", %{conn: conn} do
+    test "filters HTML tags", %{conn: conn} do
       user = insert(:user)
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
+
+      conn =
+        conn
+        |> put_req_header("accept", "text/html")
+        |> get("/notice/#{activity.id}")
+
+      html = html_response(conn, 200)
+      assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
+    end
+
+    test "shows the whole thread", %{conn: conn, user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})
 
       CommonAPI.post(user, %{