z_ui_thread_13_filetest.gno
0.94 Kb · 32 lines
1// PKGPATH: gno.land/r/gnoland/boards2/v1/filetests/z_ui_thread_13_filetest
2
3// A non-numeric thread/reply ID segment in the URL is echoed back in the error
4// message; it must be escaped so a crafted URL can't inject markup/HTML into
5// the rendered page (a reflected-injection vector, live under gnoweb -html).
6package z_ui_thread_13_filetest
7
8import (
9 "strings"
10 "testing"
11
12 boards2 "gno.land/r/gnoland/boards2/v1"
13)
14
15const owner address = "g1rp7cmetn27eqlpjpc4vuusf8kaj746tysc0qgh"
16
17func init(cur realm) {
18 testing.SetRealm(testing.NewUserRealm(owner))
19 boards2.CreateBoard(cross(cur), "test-board", false, false)
20}
21
22func main(cur realm) {
23 // board exists, so the route reaches renderThread; "9<x" fails Atoi and is
24 // echoed — escaped, so the raw "9<x" never appears (md.EscapeText → "9\<x").
25 out := boards2.Render("test-board/9<x")
26 ok := strings.Contains(out, "Invalid thread ID") &&
27 !strings.Contains(out, "9<x")
28 println(ok)
29}
30
31// Output:
32// true