import 'dart:io'; import 'package:angel_diagnostics/angel_diagnostics.dart'; import 'package:angel_framework/angel_framework.dart'; import 'package:angel_security/angel_security.dart'; import 'package:angel_test/angel_test.dart'; import 'package:angel_validate/server.dart'; import 'package:matcher/matcher.dart'; import 'package:test/test.dart'; final Validator untrustedSchema = new Validator({'html*': isString}); main() async { Angel app; TestClient client; setUp(() async { app = new Angel() ..chain(validate(untrustedSchema)) .chain(sanitizeHtmlInput()) .post('/untrusted', (RequestContext req, ResponseContext res) async { String untrusted = req.body['html']; res ..contentType = ContentType.HTML ..write(''' Potential Security Hole $untrusted '''); }) ..chain(validate(untrustedSchema)).post('/attribute', (RequestContext req, ResponseContext res) async { String untrusted = req.body['html']; res ..contentType = ContentType.HTML ..write(''' Potential Security Hole '''); }); await app.configure(logRequests(new File('log.txt'))); client = await connectTo(app); }); tearDown(() => client.close()); group('script tag', () { test('normal', () async { var xss = ""; var response = await client.post('/untrusted', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('"; var response = await client.post('/untrusted', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('"'; var response = await client.post('/attribute', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('