fix #6 tests for xss injection

marcanuy · marcanuy · commit 86e47139843b · 2023-09-19T16:01:35.000-03:00
diff --git a/dynamic_breadcrumbs/app_settings.py b/dynamic_breadcrumbs/app_settings.py
@@ -7,8 +7,8 @@
     settings, "DYNAMIC_BREADCRUMBS_SHOW_AT_BASE_PATH", False
 )
 
-PATH_ALPHANUMERIC = getattr(
-    settings, "DYNAMIC_BREADCRUMBS_PATH_ONLY_ALPHANUMERIC", True
+PATH_XSS_SAFE_MODE = getattr(
+    settings, "DYNAMIC_BREADCRUMBS_PATH_XSS_SAFE_MODE", True
 )
 PATH_MAX_DEPTH = getattr(
     settings, "DYNAMIC_BREADCRUMBS_PATH_MAX_DEPTH", 5
diff --git a/tests/tests.py b/tests/tests.py
@@ -156,6 +156,26 @@ def test_hide_home_at_base_url(self, mock_resolve):
         self.assertEqual(len(result), 0)
 
 
+    
+    @patch('dynamic_breadcrumbs.utils.BreadcrumbsItem._get_resolved_url_metadata')
+    def test_filter_xss_attacks(self, mock_resolve):
+        mock_resolve = False
+
+        app_settings.SHOW_AT_BASE_PATH = False
+        malicious_code = """
+        jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+        """
+        path = f"/level/{malicious_code}/leaf/"
+        breadcrumbs = Breadcrumbs(path=path)
+
+        result = breadcrumbs.as_list()
+        self.assertEqual(len(result), 0)
+
+
+    
+    
+
+
 # class BreadcrumbsItemTests(TestCase):
 #     def test_get_resolved_url_metadata_resolves_valid_path(self):
 #         item = BreadcrumbsItem(

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@`
`7`	`7`	`settings, "DYNAMIC_BREADCRUMBS_SHOW_AT_BASE_PATH", False`
`8`	`8`	`)`
`9`	`9`
`10`		`-PATH_ALPHANUMERIC = getattr(`
`11`		`- settings, "DYNAMIC_BREADCRUMBS_PATH_ONLY_ALPHANUMERIC", True`
	`10`	`+PATH_XSS_SAFE_MODE = getattr(`
	`11`	`+ settings, "DYNAMIC_BREADCRUMBS_PATH_XSS_SAFE_MODE", True`
`12`	`12`	`)`
`13`	`13`	`PATH_MAX_DEPTH = getattr(`
`14`	`14`	`settings, "DYNAMIC_BREADCRUMBS_PATH_MAX_DEPTH", 5`