From fc6bfcb6de2d8b99c3a655a773dbd84560ccc112 Mon Sep 17 00:00:00 2001
From: thosakwe <thosakwe@gmail.com>
Date: Tue, 28 Mar 2017 22:14:47 -0400
Subject: [PATCH] Broken

---
 README.md               |  2 +-
 lib/src/csrf.dart       |  4 ++--
 lib/src/sanitize.dart   |  6 ++++--
 pubspec.yaml            |  2 +-
 test/hooks_test.dart    |  4 +++-
 test/throttle_test.dart | 12 ++++++------
 6 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 7901e03e..93644552 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # security
-[![version 1.0.0](https://img.shields.io/badge/pub-v1.0.0-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
+[![version 1.0.1](https://img.shields.io/badge/pub-v1.0.1-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
 [![build status](https://travis-ci.org/angel-dart/security.svg)](https://travis-ci.org/angel-dart/security)
 
 Angel middleware designed to enhance application security by patching common Web security
diff --git a/lib/src/csrf.dart b/lib/src/csrf.dart
index c6ebe0ba..2746b3fc 100644
--- a/lib/src/csrf.dart
+++ b/lib/src/csrf.dart
@@ -12,9 +12,9 @@ RequestMiddleware verifyCsrfToken(
   return (RequestContext req, res) async {
     String csrfToken;
 
-    if (allowQuery && req.query.containsKey(name))
+    if (allowQuery && (await req.lazyQuery()).containsKey(name))
       csrfToken = req.query[name];
-    else if (req.body.containsKey(name))
+    else if ((await req.lazyBody()).containsKey(name))
       csrfToken = req.body[name];
     else if (allowCookie) {
       var cookie =
diff --git a/lib/src/sanitize.dart b/lib/src/sanitize.dart
index 549868f7..827fb4ef 100644
--- a/lib/src/sanitize.dart
+++ b/lib/src/sanitize.dart
@@ -10,6 +10,8 @@ final Map<Pattern, String> DEFAULT_SANITIZERS = {
 /// Mitigates XSS risk by sanitizing user HTML input.
 ///
 /// You can also provide a Map of patterns to [replace].
+/// 
+/// You can sanitize the [body] or [query] (both `true` by default).
 RequestMiddleware sanitizeHtmlInput(
     {bool body: true,
     bool query: true,
@@ -17,8 +19,8 @@ RequestMiddleware sanitizeHtmlInput(
   var sanitizers = {}..addAll(DEFAULT_SANITIZERS)..addAll(replace ?? {});
 
   return (RequestContext req, res) async {
-    if (body) _sanitizeMap(req.body, sanitizers);
-    if (query) _sanitizeMap(req.query, sanitizers);
+    if (body) _sanitizeMap(await req.lazyBody(), sanitizers);
+    if (query) _sanitizeMap(await req.lazyQuery(), sanitizers);
     return true;
   };
 }
diff --git a/pubspec.yaml b/pubspec.yaml
index ee914fc9..59f84c8a 100644
--- a/pubspec.yaml
+++ b/pubspec.yaml
@@ -1,5 +1,5 @@
 name: angel_security
-version: 1.0.0
+version: 1.0.1
 description: Angel middleware designed to enhance application security by patching common Web security holes.
 author: Tobe O <thosakwe@gmail.com>
 environment:
diff --git a/test/hooks_test.dart b/test/hooks_test.dart
index 6578d91f..f47b4f73 100644
--- a/test/hooks_test.dart
+++ b/test/hooks_test.dart
@@ -11,6 +11,7 @@ main() {
 
   setUp(() async {
     app = new Angel()
+      ..lazyParseBodies = true
       ..before.add((RequestContext req, res) async {
         var xUser = req.headers.value('X-User');
         if (xUser != null)
@@ -65,7 +66,8 @@ main() {
       var response = await client
           .post('/artists', headers: {'X-User': 'John'}, body: {'foo': 'bar'});
       print('Response: ${response.body}');
-      expect(response, allOf(hasStatus(200), isJson({'foo': 'bar'})));
+      print('Status: ${response.statusCode}');
+      expect(response, allOf(hasStatus(201), isJson({'foo': 'bar'})));
     });
   });
 
diff --git a/test/throttle_test.dart b/test/throttle_test.dart
index edb7e2bd..b0002dce 100644
--- a/test/throttle_test.dart
+++ b/test/throttle_test.dart
@@ -27,35 +27,35 @@ main() {
     // First request within the hour is fine
     var response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
     // Second request within an hour? No no no!
     response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response, hasStatus(429));
+    expect(response, isAngelHttpException(statusCode: 429));
   });
 
   test('thrice per minute', () async {
     // First request within the minute is fine
     var response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
 
     // Second request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response.body, hasBody('OK'));
 
 
     // Third request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, contains('OK'));
+    expect(response, hasBody('OK'));
 
     // Fourth request within a minute? No no no!
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasStatus(429));
+    expect(response, isAngelHttpException(statusCode: 429));
   });
 }