1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00
bitwarden-server/test/Core.Test/Utilities/HtmlEncodingStringConverterTests.cs

90 lines
2.7 KiB
C#
Raw Normal View History

[AC-1637] Sanitize Business and Organization Names from html script injection prior to storing in db (#3302) * [AC-1637] Added HtmlEncodingStringConverter to encode/decode special chars on JSON serialization/deserialization * [AC-1637] Added unit tests for HtmlEncodingStringConverter * [AC-1637] Moved expected values on unit tests to the arrange phase * [AC-1637] Added HtmlEncodingStringConverter to properties that are for input/output of Org Name and Business name * [AC-1637] Modified views in Admin project to decode values to display * [AC-1637] Replaced Html.Raw with HttpUtility.HtmlDecode * [AC-1637] Added JsonConverter to Provider DTOs * [AC-1637] Modified HandlebarsMailService to decode organization name before sending emails * Revert "[AC-1637] Added JsonConverter to Provider DTOs" This reverts commit 94d507cf93e4c9f7f02890b9286dba90bad3f516. * [AC-1637] Fixed Admin panel organization search * [AC-1637] Sanitizing Organization name and business name on creation in Admin panel * [AC-1637] Sanitizing organization name and business name on creation by a provider * [AC-1637] Sanitizing provider name on creation and on viewing in admin panel * [AC-1637] Added sanitization to more places where Org name is used * [AC-1637] Swapped using HttpUtility for WebUtility since the later is part of the dotnet framework * [AC-1637] Updated error messages * [AC-1637] Decoding on Admin panel add existing organization * [AC-1637] Fix HTML decoding issues * [AC-1637] Refactor HTML decoding in View and Model classes on Admin panel * [AC-1637] Refactor provider name and business name usages to use methods that output decoded values * [AC-1637] Fixed typo * [AC-1637] Renamed Provider methods to retrieve Decoded Name and BusinessName * [AC-1637] Renamed Organization methods to retrieve Decoded Name and BusinessName * [AC-1637] Update the display name method in the `ProviderOrganizationOrganizationDetails` class to `DisplayName()`
2024-03-05 11:56:48 +01:00
using System.Text.Json;
using System.Text.Json.Serialization;
using Bit.Core.Utilities;
using Xunit;
namespace Bit.Core.Test.Utilities;
public class HtmlEncodingStringConverterTests
{
[Fact]
public void Serialize_WhenEncodedValueIsNotNull_SerializesHtmlEncodedString()
{
// Arrange
var obj = new HtmlEncodedString
{
EncodedValue = "This is <b>bold</b>",
NonEncodedValue = "This is <b>bold</b>"
};
const string expectedJsonString = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
// This is necessary to prevent the serializer from double encoding the string
var serializerOptions = new JsonSerializerOptions
{
Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
};
// Act
var jsonString = JsonSerializer.Serialize(obj, serializerOptions);
// Assert
Assert.Equal(expectedJsonString, jsonString);
}
[Fact]
public void Serialize_WhenEncodedValueIsNull_SerializesNull()
{
// Arrange
var obj = new HtmlEncodedString
{
EncodedValue = null,
NonEncodedValue = null
};
const string expectedJsonString = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
// Act
var jsonString = JsonSerializer.Serialize(obj);
// Assert
Assert.Equal(expectedJsonString, jsonString);
}
[Fact]
public void Deserialize_WhenJsonContainsHtmlEncodedString_ReturnsDecodedString()
{
// Arrange
const string json = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
const string expectedEncodedValue = "This is &lt;b&gt;bold&lt;/b&gt;";
const string expectedNonEncodedValue = "This is <b>bold</b>";
// Act
var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
// Assert
Assert.Equal(expectedEncodedValue, obj.EncodedValue);
Assert.Equal(expectedNonEncodedValue, obj.NonEncodedValue);
}
[Fact]
public void Deserialize_WhenJsonContainsNull_ReturnsNull()
{
// Arrange
const string json = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
// Act
var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
// Assert
Assert.Null(obj.EncodedValue);
Assert.Null(obj.NonEncodedValue);
}
}
public class HtmlEncodedString
{
[JsonConverter(typeof(HtmlEncodingStringConverter))]
public string EncodedValue { get; set; }
public string NonEncodedValue { get; set; }
}