forgejo/tests/integration/fixtures/TestXSSReviewDismissed/review.yml at ca798e4cc2a8c6e3d1f2cfed01f47d8b3da9361f - mirrors/forgejo - Code: Hack the planet!

mirrors/forgejo

mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-06-17 12:50:42 +00:00

Gusted ca798e4cc2

[SECURITY] Test XSS in dismissed review

It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

2024-02-22 15:33:20 +01:00

9 lines

186 B

YAML

Raw Blame History

 -
   id: 1000
   type: 1
   issue_id: 2
   original_author: "Otto <script class='evil'>alert('Oh no!')</script>"
   content: "XSS time!"
   updated_unix: 1700000000
   created_unix: 1700000000