add a xss encoding test

Sam Pullara · Sam Pullara · commit fd2a35146fab · 2011-10-18T16:37:17.000-07:00
diff --git a/builder/src/test/java/com/sampullara/mustache/InterpreterTest.java b/builder/src/test/java/com/sampullara/mustache/InterpreterTest.java
@@ -1,12 +1,14 @@
 package com.sampullara.mustache;
 
 import com.google.common.base.Function;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.util.concurrent.SettableFuture;
 import com.sampullara.util.FutureWriter;
 import com.sampullara.util.TemplateFunction;
 import com.sampullara.util.http.JSONHttpRequest;
 import junit.framework.TestCase;
 import org.codehaus.jackson.JsonFactory;
+import org.codehaus.jackson.JsonGenerator;
 import org.codehaus.jackson.JsonNode;
 import org.codehaus.jackson.JsonParser;
 import org.codehaus.jackson.map.MappingJsonFactory;
@@ -56,6 +58,25 @@ int taxed_value() {
     assertEquals(getContents(root, "simple.txt"), sw.toString());
   }
 
+  public void testXSS() throws MustacheException, IOException, ExecutionException, InterruptedException {
+    MustacheBuilder c = new MustacheBuilder(root);
+    Mustache m = c.parseFile("xss.html");
+    final StringWriter json = new StringWriter();
+    ImmutableMap<String, Object> of = ImmutableMap.<String, Object>of("foo", "bar", "\"baz\"", 42);
+    MappingJsonFactory jf = new MappingJsonFactory();
+    JsonGenerator jg = jf.createJsonGenerator(json);
+    jg.writeObject(of);
+    jg.flush();
+    StringWriter sw = new StringWriter();
+    FutureWriter writer = new FutureWriter(sw);
+    m.execute(writer, new Scope(new Object() {
+      String message = "I <3 Ponies!";
+      String object = json.toString();
+    }));
+    writer.flush();
+    assertEquals(getContents(root, "xss.txt"), sw.toString());
+  }
+
   public void testIdentitySimple() throws MustacheException, IOException, ExecutionException, InterruptedException {
     MustacheBuilder c = new MustacheBuilder(root);
     Mustache m = c.parseFile("simple.html");
diff --git a/builder/src/test/java/com/sampullara/mustache/UnexecuteTest.java b/builder/src/test/java/com/sampullara/mustache/UnexecuteTest.java
@@ -174,6 +174,27 @@ public void testPartial() throws MustacheException, IOException {
     assertEquals(getContents(root, "template_partial.txt"), sw.toString());
   }
 
+  @Test
+  public void testPartial2() throws MustacheException, IOException {
+    MustacheBuilder c = init();
+    Mustache m = c.parseFile("template_partial2.html");
+    StringWriter sw = new StringWriter();
+    Scope scope = new Scope();
+    scope.put("title", "Welcome");
+    scope.put("template_partial_2", new Object() {
+      String again = "Goodbye";
+    });
+    scope.put("test", true);
+    m.execute(sw, scope);
+    assertEquals(getContents(root, "template_partial2.txt"), sw.toString());
+
+    scope = m.unexecute(sw.toString());
+    sw = new StringWriter();
+    m.execute(sw, scope);
+    System.out.println(scope);
+    assertEquals(getContents(root, "template_partial2.txt"), sw.toString());
+  }
+
   @Test
   public void testSimpleLamda() throws MustacheException, IOException {
     MustacheBuilder c = new MustacheBuilder(root);
diff --git a/core/src/main/java/com/sampullara/mustache/Mustache.java b/core/src/main/java/com/sampullara/mustache/Mustache.java
@@ -87,6 +87,7 @@ protected Scope unexecute(String text, AtomicInteger position) throws MustacheEx
         line.set(compiled[i].getLine());
       }
       Code[] truncate = truncate(compiled, i + 1);
+      System.out.println("Unexecute " + compiled[i].toString());
       current = compiled[i].unexecute(current, text, position, truncate);
     }
     return current;
diff --git a/src/test/resources/template_partial2.html b/src/test/resources/template_partial2.html
@@ -0,0 +1,5 @@
+<h1>{{title}}</h1>
+{{#test}}
+{{>template_partial_2}}
+{{/test}}
+Test: {{template_partial_2.again}}
diff --git a/src/test/resources/template_partial2.txt b/src/test/resources/template_partial2.txt
@@ -0,0 +1,3 @@
+<h1>Welcome</h1>
+Again, Goodbye!
+Test: Goodbye
diff --git a/src/test/resources/xss.html b/src/test/resources/xss.html
@@ -0,0 +1,2 @@
+<b>{{message}}</b>
+<button onclick="foo({{object}})"></button>
diff --git a/src/test/resources/xss.txt b/src/test/resources/xss.txt
@@ -0,0 +1,2 @@
+<b>I &lt;3 Ponies!</b>
+<button onclick="foo({&quot;foo&quot;:&quot;bar&quot;,&quot;\&quot;baz\&quot;&quot;:42})"></button>

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ protected Scope unexecute(String text, AtomicInteger position) throws MustacheEx`
`87`	`87`	`line.set(compiled[i].getLine());`
`88`	`88`	`}`
`89`	`89`	`Code[] truncate = truncate(compiled, i + 1);`
	`90`	`+ System.out.println("Unexecute " + compiled[i].toString());`
`90`	`91`	`current = compiled[i].unexecute(current, text, position, truncate);`
`91`	`92`	`}`
`92`	`93`	`return current;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<h1>Welcome</h1>`
	`2`	`+Again, Goodbye!`
	`3`	`+Test: Goodbye`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<b>{{message}}</b>`
	`2`	`+<button onclick="foo({{object}})"></button>`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<b>I <3 Ponies!</b>`
	`2`	`+<button onclick="foo({"foo":"bar","\"baz\"":42})"></button>`