MrSphay/odysseus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b19e5693afbf0d22c7832fcbb4d35ef663794e4e
odysseus/tests/test_signature_settings_dom_xss.py
Vykos ca8ca38a32 Guard image and QR DOM attributes (#2500)
2026-06-04 20:51:23 +02:00

27 lines
939 B
Python
Raw Blame History

"""Regression guards for DOM attribute sinks in signature/settings UI."""
from pathlib import Path
_REPO = Path(__file__).resolve().parent.parent
def test_signature_picker_allows_only_raster_data_urls():
src = (_REPO / "static" / "js" / "signature.js").read_text(encoding="utf-8")
assert "function _safeSignatureDataUrl(raw)" in src
assert r"^data:image\/(?:png|jpe?g);base64," in src
assert '<img src="${_esc(dataUrl)}"/>' in src
assert 'dataUrl: s.data_url' not in src
def test_settings_2fa_setup_escapes_secret_and_qr_src():
src = (_REPO / "static" / "js" / "settings.js").read_text(encoding="utf-8")
assert "function safeRasterDataUrl(raw)" in src
assert "const qrCode = safeRasterDataUrl(setup.qr_code);" in src
assert '<img src="${esc(qrCode)}"' in src
assert "${esc(setup.secret)}" in src
assert 'src="${setup.qr_code}"' not in src
assert ">${setup.secret}</div>" not in src
Reference in New Issue View Git Blame Copy Permalink