Catalyst-Plugin-HTML-Scrubber
view release on metacpan or search on metacpan
t/03_params.t view on Meta::CPAN
use strict;
use warnings;
use FindBin qw($Bin);
use lib "$Bin/lib";
use Catalyst::Test 'MyApp03';
use HTTP::Request::Common;
use HTTP::Status;
use Test::More;
{
my $req = GET('/');
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is($res->content, 'index', 'content ok');
}
{
my $req = POST('/', [foo => 'bar']);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is($c->req->param('foo'), 'bar', 'Normal POST body param, nothing to strip, left alone');
}
{
my $req = POST('/', [foo => 'bar<script>alert("0");</script>']);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is($c->req->param('foo'), 'bar', 'XSS stripped from normal POST body param');
}
{
# we allow <b> in the test app config so this should not be stripped
my $req = POST('/', [foo => '<b>bar</b>']);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is($c->req->param('foo'), '<b>bar</b>', 'Allowed tag not stripped');
}
{
diag "HTML left alone in ignored field - by regex match";
my $value = '<h1>Bar</h1><p>Foo</p>';
my $req = POST('/', [foo_html => $value]);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is(
$c->req->param('foo_html'),
$value,
'HTML left alone in ignored (by regex) field',
);
}
{
diag "HTML left alone in ignored field - by name";
my $value = '<h1>Bar</h1><p>Foo</p>';
my $req = POST('/', [ignored_param => $value]);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is(
$c->req->param('ignored_param'),
$value,
'HTML left alone in ignored (by name) field',
);
}
{
diag "HTML-ish looking but left alone by ignore_values";
my $value = '\<:100';
my $req = POST('/', [htmlish => $value]);
my ($res, $c) = ctx_request($req);
is($res->code, RC_OK, 'response ok');
is(
$c->req->param('htmlish'),
( run in 0.907 second using v1.01-cache-2.11-cpan-df04353d9ac )