import 'dart:io';
import 'package:angel_diagnostics/angel_diagnostics.dart';
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_security/angel_security.dart';
import 'package:angel_test/angel_test.dart';
import 'package:angel_validate/server.dart';
import 'package:matcher/matcher.dart';
import 'package:test/test.dart';
final Validator untrustedSchema = new Validator({'html*': isString});
main() async {
Angel app;
TestClient client;
setUp(() async {
app = new Angel();
app.chain([validate(untrustedSchema), sanitizeHtmlInput()])
..post('/untrusted', (RequestContext req, ResponseContext res) async {
String untrusted = req.body['html'];
res
..contentType = ContentType.HTML
..write('''
Potential Security Hole
$untrusted
''');
})
..post('/attribute', (RequestContext req, ResponseContext res) async {
String untrusted = req.body['html'];
res
..contentType = ContentType.HTML
..write('''
Potential Security Hole
''');
});
await app.configure(logRequests(new File('log.txt')));
client = await connectTo(app);
});
tearDown(() => client.close());
group('script tag', () {
test('normal', () async {
var xss = "";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('"';
var response = await client.post('/attribute', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('