1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
use strict;
use warnings;
use RT::Test tests => undef;
use Test::Warn;
my ($base, $m) = RT::Test->started_ok;
my $ticket = RT::Test->create_ticket(
Queue => 'General',
Subject => 'test ticket A',
);
my $id = $ticket->id;
ok $id, "created ticket";
my @links = (
'javascript:alert("xss")',
'data:text/html,<script>alert("xss")</script>',
);
for my $link ( map { ($_, ucfirst $_) } @links ) {
my ($ok, $msg);
warnings_like {
($ok, $msg) = $ticket->AddLink(
Type => 'RefersTo',
Target => $link,
);
} [qr/Could not determine a URI scheme/];
ok !$ok, $msg;
ok $m->login, "logged in";
$m->get_ok($base);
$m->follow_link_ok({ text => 'test ticket A' }, 'ticket page');
$m->follow_link_ok({ text => 'Links' }, 'links page');
$m->submit_form_ok({
with_fields => {
"$id-RefersTo" => $link,
},
button => 'SubmitTicket',
}, 'submitted links page');
$m->content_contains("Couldn't resolve ");
$m->next_warning_like(qr/Could not determine a URI scheme/, 'expected warning');
my $element = $m->find_link( url => $link );
ok !$element, "no <a> link";
}
$m->no_leftover_warnings_ok;
undef $m;
done_testing;
|
