X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=test%2Fweb%2Fstatic_fe%2Fstatic_fe_controller_test.exs;h=430683ea076d74e867fdfca40953f6171645d0c4;hb=7dbf1ffa868e4f5fece298b9ea161e1e11a2ffde;hp=11facab990e95df5ab539b2098f20e9846dcef85;hpb=0cf1d4fcd0c15594f663101061670a4555132840;p=akkoma

diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs
index 11facab99..430683ea0 100644
--- a/test/web/static_fe/static_fe_controller_test.exs
+++ b/test/web/static_fe/static_fe_controller_test.exs
@@ -8,9 +8,8 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
 
   import Pleroma.Factory
 
-  clear_config_all([:static_fe, :enabled]) do
-    Config.put([:static_fe, :enabled], true)
-  end
+  setup_all do: clear_config([:static_fe, :enabled], true)
+  setup do: clear_config([:instance, :federating], true)
 
   setup %{conn: conn} do
     conn = put_req_header(conn, "accept", "text/html")
@@ -70,6 +69,10 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
       refute html =~ ">test20<"
       refute html =~ ">test29<"
     end
+
+    test "it requires authentication if instance is NOT federating", %{conn: conn, user: user} do
+      ensure_federating_or_authenticated(conn, "/users/#{user.nickname}", user)
+    end
   end
 
   describe "notice html" do
@@ -84,6 +87,19 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
       assert html =~ "testing a thing!"
     end
 
+    test "filters HTML tags", %{conn: conn} do
+      user = insert(:user)
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
+
+      conn =
+        conn
+        |> put_req_header("accept", "text/html")
+        |> get("/notice/#{activity.id}")
+
+      html = html_response(conn, 200)
+      assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
+    end
+
     test "shows the whole thread", %{conn: conn, user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})
 
@@ -153,5 +169,11 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
 
       assert html_response(conn, 302) =~ "redirected"
     end
+
+    test "it requires authentication if instance is NOT federating", %{conn: conn, user: user} do
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "testing a thing!"})
+
+      ensure_federating_or_authenticated(conn, "/notice/#{activity.id}", user)
+    end
   end
 end