32 lines
771 B
Go
32 lines
771 B
Go
package controllers
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func testXSSAttempt(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.POST("/register", Uc.RegisterUser)
|
|
|
|
xssPayload := "<script>alert('XSS')</script>"
|
|
user := getBaseUser()
|
|
user.FirstName = xssPayload
|
|
user.Email = "user@xss.hack"
|
|
jsonData, _ := json.Marshal(RegistrationData{User: user})
|
|
req, _ := http.NewRequest("POST", "/register", bytes.NewBuffer(jsonData))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
w := httptest.NewRecorder()
|
|
router.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusBadRequest, w.Code)
|
|
assert.NotContains(t, w.Body.String(), xssPayload)
|
|
}
|