matomo: detect html tags in tracking_js (#32948)
This commit is contained in:
parent
c95a17bd87
commit
0ed638b83e
|
@ -31,6 +31,14 @@ class SettingsForm(forms.Form):
|
|||
required=False,
|
||||
widget=forms.Textarea())
|
||||
|
||||
def clean_tracking_js(self):
|
||||
value = self.cleaned_data['tracking_js']
|
||||
if '<script' in value:
|
||||
raise forms.ValidationError(
|
||||
_('This field should only contain the Javascript code. '
|
||||
'You should remove the surrounding <script> markup.'))
|
||||
return value
|
||||
|
||||
|
||||
class EnableForm(forms.Form):
|
||||
pass
|
||||
|
|
|
@ -7,11 +7,10 @@ import re
|
|||
from requests import Response
|
||||
from webtest import TestApp
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.auth.models import User
|
||||
from django.test import override_settings
|
||||
|
||||
from hobo.environment.models import Variable, Wcs, Combo, Fargo
|
||||
from hobo.environment.models import Wcs, Combo, Fargo
|
||||
from hobo.wsgi import application
|
||||
|
||||
pytestmark = pytest.mark.django_db
|
||||
|
@ -123,25 +122,38 @@ def test_enable_manual(admin_user):
|
|||
app = login(TestApp(application))
|
||||
|
||||
# get matomo's validation page
|
||||
resp1 = app.get('/visits-tracking/enable-manual', status=200)
|
||||
assert re.search('<textarea.* name="tracking_js"', resp1.body)
|
||||
resp = app.get('/visits-tracking/enable-manual', status=200)
|
||||
assert re.search('<textarea.* name="tracking_js"', resp.body)
|
||||
|
||||
# validate and get matomo's home page
|
||||
resp1.form['tracking_js'] = '...js_code_1...'
|
||||
resp2 = resp1.form.submit().follow()
|
||||
assert resp2.body.find('Manual configuration.')
|
||||
assert re.search('<textarea.* name="tracking_js"', resp2.body)
|
||||
assert resp2.body.find('...js_code_1...</textarea>') != -1
|
||||
assert resp2.body.find('<button class="submit-button">Save</button>') != -1
|
||||
resp.form['tracking_js'] = '...js_code_1...'
|
||||
resp = resp.form.submit().follow()
|
||||
assert resp.body.find('Manual configuration.')
|
||||
assert re.search('<textarea.* name="tracking_js"', resp.body)
|
||||
assert resp.body.find('...js_code_1...</textarea>') != -1
|
||||
assert resp.body.find('<button class="submit-button">Save</button>') != -1
|
||||
|
||||
# update JS code on matomo's home page
|
||||
resp2.form['tracking_js'] = '...js_code_2...'
|
||||
resp3 = resp2.form.submit().follow()
|
||||
assert resp3.body.find('Manual configuration.') != -1
|
||||
assert re.search('<textarea.* name="tracking_js"', resp3.body)
|
||||
assert resp3.body.find('...js_code_2...</textarea>') != -1
|
||||
assert resp3.body.find('<button class="submit-button">Save</button>') != -1
|
||||
assert resp3.body.find('Good respect of user rights') != -1
|
||||
resp.form['tracking_js'] = '...js_code_2...'
|
||||
resp = resp.form.submit().follow()
|
||||
assert resp.body.find('Manual configuration.') != -1
|
||||
assert re.search('<textarea.* name="tracking_js"', resp.body)
|
||||
assert resp.body.find('...js_code_2...</textarea>') != -1
|
||||
assert resp.body.find('<button class="submit-button">Save</button>') != -1
|
||||
assert resp.body.find('Good respect of user rights') != -1
|
||||
|
||||
# check html tags
|
||||
resp.form['tracking_js'] = '<script>...js_code_2...</script>'
|
||||
resp = resp.form.submit()
|
||||
assert (
|
||||
'<ul class="errorlist"><li>This field should only contain the Javascript code. '
|
||||
'You should remove the surrounding <script> markup.</li></ul>') in resp.text
|
||||
resp.form['tracking_js'] = '<script >'
|
||||
resp = resp.form.submit()
|
||||
assert (
|
||||
'<ul class="errorlist"><li>This field should only contain the Javascript code. '
|
||||
'You should remove the surrounding <script> markup.</li></ul>') in resp.text
|
||||
|
||||
|
||||
def test_available_options(admin_user):
|
||||
"""check available buttons (manual/automatic configurations)"""
|
||||
|
|
Loading…
Reference in New Issue