e2e: assert sanitized iframe in popups

3liz · Nov 7, 2024 · 3030a99 · 3030a99
1 parent 2828078
commit 3030a99
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/tests/end2end/playwright/xss.spec.js b/tests/end2end/playwright/xss.spec.js
@@ -3,6 +3,11 @@ import { test, expect } from '@playwright/test';
 import { gotoMap } from './globals';
 
 test.describe('XSS', () => {
+    test.beforeEach(async ({ page }) => {
+        const url = '/index.php/view/map/?repository=testsrepository&project=xss';
+        await gotoMap(url, page);
+    });
+
     // Test that flawed data are sanitized before being displayed
     test('No dialog from inline JS alert() appears', async ({ page }) => {
 
@@ -12,9 +17,6 @@ test.describe('XSS', () => {
             dialogOpens++;
         });
 
-        const url = '/index.php/view/map/?repository=testsrepository&project=xss';
-        await gotoMap(url, page)
-
         // Edition: add XSS data
         await page.locator('#button-edition').click();
         await page.locator('#edition-draw').click();
@@ -39,4 +41,20 @@ test.describe('XSS', () => {
 
         expect(dialogOpens).toEqual(0);
     });
+
+    test('Sanitized iframe in popup', async ({ page }) => {
+        let getFeatureInfoRequestPromise = page.waitForRequest(request => request.method() === 'POST' && request.postData()?.includes('GetFeatureInfo') === true);
+
+        // Open popup
+        await page.locator('#newOlMap').click({
+            position: {
+                x: 500,
+                y: 285
+            }
+        });
+
+        await getFeatureInfoRequestPromise;
+
+        await expect(page.locator('#popupcontent iframe')).toHaveAttribute('sandbox', 'allow-scripts allow-forms');
+    });
 });