forgejo/tests/integration/fixtures/TestXSSReviewDismissed/review.yml at 2fe5f6f73283c2f6935ded62440a1f15ded12dcd - mirrors/forgejo - Angry.Im Software Forge

mirrors/forgejo

mirror of https://codeberg.org/forgejo/forgejo synced 2024-06-01 09:46:58 +02:00

Gusted 672caa6813

[SECURITY] Test XSS in dismissed review

It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
(cherry picked from commit d3de80b9cc)

2024-02-22 22:44:22 +01:00

9 lines

186 B

YAML

Raw Blame History

 -
   id: 1000
   type: 1
   issue_id: 2
   original_author: "Otto <script class='evil'>alert('Oh no!')</script>"
   content: "XSS time!"
   updated_unix: 1700000000
   created_unix: 1700000000