import 'package:angel_framework/angel_framework.dart'; import 'package:angel_security/angel_security.dart'; import 'package:angel_test/angel_test.dart'; import 'package:angel_validate/server.dart'; import 'package:http_parser/http_parser.dart'; import 'package:logging/logging.dart'; import 'package:matcher/matcher.dart'; import 'package:test/test.dart'; import 'pretty_logging.dart'; final Validator untrustedSchema = Validator({'html*': isString}); main() async { Angel app; TestClient client; setUp(() async { var logger = Logger.detached('angel_security')..onRecord.listen(prettyLog); app = Angel(logger: logger); app.chain([validate(untrustedSchema), sanitizeHtmlInput()]) ..post('/untrusted', (RequestContext req, ResponseContext res) async { String untrusted = req.bodyAsMap['html']; res ..contentType = MediaType('text', 'html') ..write(''' Potential Security Hole $untrusted '''); }) ..post('/attribute', (RequestContext req, ResponseContext res) async { String untrusted = req.bodyAsMap['html']; res ..contentType = MediaType('text', 'html') ..write(''' Potential Security Hole '''); }); var oldHandler = app.errorHandler; app.errorHandler = (e, req, res) { app.logger.severe(e, e.error, e.stackTrace); return oldHandler(e, req, res); }; client = await connectTo(app); }); tearDown(() => client.close()); group('script tag', () { test('normal', () async { var xss = ""; var response = await client.post('/untrusted', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('"; var response = await client.post('/untrusted', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('"'; var response = await client.post('/attribute', body: {'html': xss}); print(response.body); expect(response.body.contains(xss), isFalse); expect(response.body.toLowerCase().contains('