Search Apps Documentation Source Content File Folder Download Copy Actions Download

z_ui_thread_13_filetest.gno

0.94 Kb · 32 lines
 1// PKGPATH: gno.land/r/gnoland/boards2/v1/filetests/z_ui_thread_13_filetest
 2
 3// A non-numeric thread/reply ID segment in the URL is echoed back in the error
 4// message; it must be escaped so a crafted URL can't inject markup/HTML into
 5// the rendered page (a reflected-injection vector, live under gnoweb -html).
 6package z_ui_thread_13_filetest
 7
 8import (
 9	"strings"
10	"testing"
11
12	boards2 "gno.land/r/gnoland/boards2/v1"
13)
14
15const owner address = "g1rp7cmetn27eqlpjpc4vuusf8kaj746tysc0qgh"
16
17func init(cur realm) {
18	testing.SetRealm(testing.NewUserRealm(owner))
19	boards2.CreateBoard(cross(cur), "test-board", false, false)
20}
21
22func main(cur realm) {
23	// board exists, so the route reaches renderThread; "9<x" fails Atoi and is
24	// echoed — escaped, so the raw "9<x" never appears (md.EscapeText → "9\<x").
25	out := boards2.Render("test-board/9<x")
26	ok := strings.Contains(out, "Invalid thread ID") &&
27		!strings.Contains(out, "9<x")
28	println(ok)
29}
30
31// Output:
32// true