From 2e441d4bbf530c3f10a38381888545aa65ad65b1 Mon Sep 17 00:00:00 2001
From: thosakwe <thosakwe@gmail.com>
Date: Tue, 28 Mar 2017 22:44:56 -0400
Subject: [PATCH] 1.0.2

---
 README.md               |  2 +-
 lib/src/sanitize.dart   | 10 +++++++---
 pubspec.yaml            |  2 +-
 test/hooks_test.dart    |  2 +-
 test/sanitize_test.dart | 14 ++++++--------
 test/throttle_test.dart |  8 ++++----
 6 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 93644552..907058cb 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # security
-[![version 1.0.1](https://img.shields.io/badge/pub-v1.0.1-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
+[![version 1.0.2](https://img.shields.io/badge/pub-v1.0.2-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
 [![build status](https://travis-ci.org/angel-dart/security.svg)](https://travis-ci.org/angel-dart/security)
 
 Angel middleware designed to enhance application security by patching common Web security
diff --git a/lib/src/sanitize.dart b/lib/src/sanitize.dart
index 827fb4ef..613edb82 100644
--- a/lib/src/sanitize.dart
+++ b/lib/src/sanitize.dart
@@ -10,7 +10,7 @@ final Map<Pattern, String> DEFAULT_SANITIZERS = {
 /// Mitigates XSS risk by sanitizing user HTML input.
 ///
 /// You can also provide a Map of patterns to [replace].
-/// 
+///
 /// You can sanitize the [body] or [query] (both `true` by default).
 RequestMiddleware sanitizeHtmlInput(
     {bool body: true,
@@ -19,8 +19,12 @@ RequestMiddleware sanitizeHtmlInput(
   var sanitizers = {}..addAll(DEFAULT_SANITIZERS)..addAll(replace ?? {});
 
   return (RequestContext req, res) async {
-    if (body) _sanitizeMap(await req.lazyBody(), sanitizers);
-    if (query) _sanitizeMap(await req.lazyQuery(), sanitizers);
+    if (body) {
+      await req.parse();
+      _sanitizeMap(req.body, sanitizers);
+    }
+
+    if (query) _sanitizeMap(req.query, sanitizers);
     return true;
   };
 }
diff --git a/pubspec.yaml b/pubspec.yaml
index 59f84c8a..d39fcf3a 100644
--- a/pubspec.yaml
+++ b/pubspec.yaml
@@ -1,5 +1,5 @@
 name: angel_security
-version: 1.0.1
+version: 1.0.2
 description: Angel middleware designed to enhance application security by patching common Web security holes.
 author: Tobe O <thosakwe@gmail.com>
 environment:
diff --git a/test/hooks_test.dart b/test/hooks_test.dart
index f47b4f73..3c158e91 100644
--- a/test/hooks_test.dart
+++ b/test/hooks_test.dart
@@ -29,7 +29,7 @@ main() {
       ..beforeIndexed.listen(hooks.queryWithCurrentUser())
       ..beforeCreated.listen(hooks.hashPassword());
 
-    app.service('artists')
+    app.service('artists') as HookedService
       ..beforeIndexed.listen(hooks.restrictToAuthenticated())
       ..beforeRead.listen(hooks.restrictToOwner())
       ..beforeCreated.listen(hooks.associateCurrentUser());
diff --git a/test/sanitize_test.dart b/test/sanitize_test.dart
index 316f5778..c9878c19 100644
--- a/test/sanitize_test.dart
+++ b/test/sanitize_test.dart
@@ -14,10 +14,9 @@ main() async {
   TestClient client;
 
   setUp(() async {
-    app = new Angel()
-      ..chain(validate(untrustedSchema))
-          .chain(sanitizeHtmlInput())
-          .post('/untrusted', (RequestContext req, ResponseContext res) async {
+    app = new Angel();
+    app.chain([validate(untrustedSchema), sanitizeHtmlInput()])
+      ..post('/untrusted', (RequestContext req, ResponseContext res) async {
         String untrusted = req.body['html'];
         res
           ..contentType = ContentType.HTML
@@ -30,8 +29,7 @@ main() async {
             <body>$untrusted</body>
           </html>''');
       })
-      ..chain(validate(untrustedSchema)).post('/attribute',
-          (RequestContext req, ResponseContext res) async {
+      ..post('/attribute', (RequestContext req, ResponseContext res) async {
         String untrusted = req.body['html'];
         res
           ..contentType = ContentType.HTML
@@ -108,7 +106,7 @@ main() async {
     var response = await client.post('/attribute', body: {'html': xss});
     print(response.body);
     expect(response.body.contains(xss), isFalse);
-    expect(response.body.toLowerCase().contains('javascript:'), isFalse);
+    expect(response.body.toLowerCase().contains(xss), isFalse);
   });
 
   test('style attribute', () async {
@@ -116,6 +114,6 @@ main() async {
     var response = await client.post('/attribute', body: {'html': xss});
     print(response.body);
     expect(response.body.contains(xss), isFalse);
-    expect(response.body.toLowerCase().contains('javascript:'), isFalse);
+    expect(response.body.toLowerCase().contains(xss), isFalse);
   });
 }
diff --git a/test/throttle_test.dart b/test/throttle_test.dart
index b0002dce..7da3ba26 100644
--- a/test/throttle_test.dart
+++ b/test/throttle_test.dart
@@ -27,7 +27,7 @@ main() {
     // First request within the hour is fine
     var response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
     // Second request within an hour? No no no!
     response = await client.get('/once-per-hour');
@@ -39,19 +39,19 @@ main() {
     // First request within the minute is fine
     var response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
 
     // Second request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
 
     // Third request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
     // Fourth request within a minute? No no no!
     response = await client.get('/thrice-per-minute');