Skip to content

Commit f8ca477

Browse files
test(security): add encodeURIComponent regression tests for AJAX filters
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
1 parent a80884d commit f8ca477

1 file changed

Lines changed: 17 additions & 0 deletions

File tree

tests/Security/XssEscapingTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,20 @@
3434
// ENT_QUOTES|ENT_HTML5 encodes single quotes as &apos; (HTML5 named entity)
3535
expect(html_escape("O'Brien"))->toBe('O&apos;Brien');
3636
});
37+
38+
it('thold.php AJAX filter uses encodeURIComponent for URL params', function () {
39+
$src = file_get_contents(realpath(__DIR__ . '/../../thold.php'));
40+
// rfilter is base64-encoded then URI-encoded; other params are URI-encoded directly
41+
expect($src)->toContain("encodeURIComponent(base64_encode($('#rfilter').val()))");
42+
expect($src)->toContain("encodeURIComponent($('#rows').val())");
43+
});
44+
45+
it('thold_graph.php AJAX filter uses encodeURIComponent for URL params', function () {
46+
$src = file_get_contents(realpath(__DIR__ . '/../../thold_graph.php'));
47+
expect($src)->toContain('encodeURIComponent');
48+
});
49+
50+
it('notify_lists.php AJAX filter uses encodeURIComponent for URL params', function () {
51+
$src = file_get_contents(realpath(__DIR__ . '/../../notify_lists.php'));
52+
expect($src)->toContain('encodeURIComponent');
53+
});

0 commit comments

Comments
 (0)