Coverage for tests / test_swagger_ui_escape.py: 100%

Shortcuts on this page

r m x toggle line displays

j k next/prev highlighted chunk

0 (zero) top of page

1 (one) first highlighted chunk

[ ] prev/next file

u up to the index

? show/hide this help

18 statements

1from fastapi.openapi.docs import get_swagger_ui_html 4 ctx1ijkl

4def test_init_oauth_html_chars_are_escaped(): 4 ctx1ijkl

5 xss_payload = "Evil</script><script>alert(1)</script>" 4 ctx1abcd

6 html = get_swagger_ui_html( 4 ctx1abcd

7 openapi_url="/openapi.json",

8 title="Test",

9 init_oauth={"appName": xss_payload},

11 body = html.body.decode() 4 ctx1abcd

13 assert "</script><script>" not in body 4 ctx1abcd

14 assert "\\u003c/script\\u003e\\u003cscript\\u003e" in body 4 ctx1abcd

17def test_swagger_ui_parameters_html_chars_are_escaped(): 4 ctx1ijkl

18 html = get_swagger_ui_html( 4 ctx1mnop

19 openapi_url="/openapi.json",

20 title="Test",

21 swagger_ui_parameters={"customKey": "<img src=x onerror=alert(1)>"},

23 body = html.body.decode() 4 ctx1mnop

24 assert "<img src=x onerror=alert(1)>" not in body 4 ctx1mnop

25 assert "\\u003cimg" in body 4 ctx1mnop

28def test_normal_init_oauth_still_works(): 4 ctx1ijkl

29 html = get_swagger_ui_html( 4 ctx1efgh

30 openapi_url="/openapi.json",

31 title="Test",

32 init_oauth={"clientId": "my-client", "appName": "My App"},

34 body = html.body.decode() 4 ctx1efgh

35 assert '"clientId": "my-client"' in body 4 ctx1efgh

36 assert '"appName": "My App"' in body 4 ctx1efgh

37 assert "ui.initOAuth" in body 4 ctx1efgh