4 use RT::Test tests => undef;
6 my ($base, $m) = RT::Test->started_ok;
8 my $link = RT::Test->load_or_create_custom_field(
13 LinkValueTo => '__CustomField__',
16 my $include = RT::Test->load_or_create_custom_field(
21 IncludeContentForValue => '__CustomField__',
24 my $data_uri = 'data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+';
25 my $xss = q{')-eval(decodeURI('alert("xss")'))-('};
27 my $ticket = RT::Ticket->new(RT->SystemUser);
30 Subject => 'ticket A',
31 'CustomField-'.$link->id => $data_uri,
32 'CustomField-'.$include->id => $xss,
34 ok $ticket->Id, 'created ticket';
36 ok $m->login('root', 'password'), "logged in";
37 $m->get_ok($base . "/Ticket/Display.html?id=" . $ticket->id);
39 # look for lack of link to data:text/html;base64,...
40 ok !$m->find_link(text => $data_uri), "no data: link";
41 ok !$m->find_link(url => $data_uri), "no data: link";
43 # look for unescaped JS
44 $m->content_lacks($xss, 'escaped js');
46 $m->warning_like(qr/Potentially dangerous URL type/, "found warning about dangerous link");