OCram85/code-server
Archived
1
0
Fork 0
Code Pull Requests 2 Activity

feat: add escapeHtml function

Browse Source 
This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.
This commit is contained in:
Joe Previte
2021-06-29 15:28:44 -07:00
parent faa896c12c
commit c505fc45a8
4 changed files with 67 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
test/unit/node/util.test.ts
View File

@ -445,3 +445,11 @@ describe("onLine", () => {
expect(await received).toEqual(expected)
})
})
describe("escapeHtml", () => {
it("should escape HTML", () => {
expect(util.escapeHtml(`<div class="error">"Hello & world"</div>`)).toBe(
"&lt;div class=&quot;error&quot;&gt;&quot;Hello &amp; world&quot;&lt;/div&gt;",
)
})
})

40
test/unit/routes/login.test.ts
View File

@ -1,3 +1,6 @@
import * as httpserver from "../../utils/httpserver"
import * as integration from "../../utils/integration"
import { RateLimiter } from "../../../src/node/routes/login"
describe("login", () => {
@ -34,4 +37,41 @@ describe("login", () => {
expect(limiter.removeToken()).toBe(false)
})
})
describe("/login", () => {
let _codeServer: httpserver.HttpServer | undefined
function codeServer(): httpserver.HttpServer {
if (!_codeServer) {
throw new Error("tried to use code-server before setting it up")
}
return _codeServer
}
// Store whatever might be in here so we can restore it afterward.
// TODO: We should probably pass this as an argument somehow instead of
// manipulating the environment.
const previousEnvPassword = process.env.PASSWORD
beforeEach(async () => {
process.env.PASSWORD = "test"
_codeServer = await integration.setup(["--auth=password"], "")
})
afterEach(() => {
process.env.PASSWORD = previousEnvPassword
})
it("should return escaped HTML with 'Missing password' message", async () => {
const resp = await codeServer().fetch("/login", { method: "POST" })
expect(resp.status).toBe(200)
const htmlContent = await resp.text()
expect(htmlContent).not.toContain(">")
expect(htmlContent).not.toContain("<")
expect(htmlContent).not.toContain('"')
expect(htmlContent).not.toContain("'")
expect(htmlContent).toContain("&lt;div class=&quot;error&quot;&gt;Missing password&lt;/div&gt;")
})
})
})