From 1a5aad5e039579b915afe3997efb8351e2685a73 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 5 Jul 2019 11:33:58 +1000
Subject: [PATCH] tests: Add test for unescaped values in patch detail page

Add a test to check whether we are escaping values from the Patch model on
the patch detail page.

This test shouldn't be relied upon as proof that we've escaped everything
correctly, but may help catch regressions.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
(backported from df80e690bcc32d483875dcb36b488764c89ec9b6)
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 patchwork/tests/test_detail.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/patchwork/tests/test_detail.py b/patchwork/tests/test_detail.py
index 5d8534ea..fa3207cf 100644
--- a/patchwork/tests/test_detail.py
+++ b/patchwork/tests/test_detail.py
@@ -66,6 +66,23 @@ class PatchViewTest(TestCase):
                 response,
                 reverse('series-mbox', kwargs={'series_id': series_.id}))
 
+    def test_escaping(self):
+        # Warning: this test doesn't guarantee anything - it only tests some
+        # fields
+        unescaped_string = 'blah<b>TEST</b>blah'
+        patch = create_patch()
+        patch.diff = unescaped_string
+        patch.commit_ref = unescaped_string
+        patch.pull_url = unescaped_string
+        patch.name = unescaped_string
+        patch.msgid = unescaped_string
+        patch.headers = unescaped_string
+        patch.content = unescaped_string
+        patch.save()
+        requested_url = reverse('patch-detail', kwargs={'patch_id': patch.id})
+        response = self.client.get(requested_url)
+        self.assertNotIn('<b>TEST</b>'.encode('utf-8'), response.content)
+
 
 class CommentRedirectTest(TestCase):
 
-- 
2.47.3