1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-05 14:23:30 +01:00
bitwarden-server/test/Core.Test/Utilities/HtmlEncodingStringConverterTests.cs
Rui Tomé 9d59e4dc9e
[AC-1637] Sanitize Business and Organization Names from html script injection prior to storing in db (#3302)
* [AC-1637] Added HtmlEncodingStringConverter to encode/decode special chars on JSON serialization/deserialization

* [AC-1637] Added unit tests for HtmlEncodingStringConverter

* [AC-1637] Moved expected values on unit tests to the arrange phase

* [AC-1637] Added HtmlEncodingStringConverter to properties that are for input/output of Org Name and Business name

* [AC-1637] Modified views in Admin project to decode values to display

* [AC-1637] Replaced Html.Raw with HttpUtility.HtmlDecode

* [AC-1637] Added JsonConverter to Provider DTOs

* [AC-1637] Modified HandlebarsMailService to decode organization name before sending emails

* Revert "[AC-1637] Added JsonConverter to Provider DTOs"

This reverts commit 94d507cf93.

* [AC-1637] Fixed Admin panel organization search

* [AC-1637] Sanitizing Organization name and business name on creation in Admin panel

* [AC-1637] Sanitizing organization name and business name on creation by a provider

* [AC-1637] Sanitizing provider name on creation and on viewing in admin panel

* [AC-1637] Added sanitization to more places where Org name is used

* [AC-1637] Swapped using HttpUtility for WebUtility since the later is part of the dotnet framework

* [AC-1637] Updated error messages

* [AC-1637] Decoding on Admin panel add existing organization

* [AC-1637] Fix HTML decoding issues

* [AC-1637] Refactor HTML decoding in View and Model classes on Admin panel

* [AC-1637] Refactor provider name and business name usages to use methods that output decoded values

* [AC-1637] Fixed typo

* [AC-1637] Renamed Provider methods to retrieve Decoded Name and BusinessName

* [AC-1637] Renamed Organization methods to retrieve Decoded Name and BusinessName

* [AC-1637] Update the display name method in the `ProviderOrganizationOrganizationDetails` class to `DisplayName()`
2024-03-05 10:56:48 +00:00

90 lines
2.7 KiB
C#

using System.Text.Json;
using System.Text.Json.Serialization;
using Bit.Core.Utilities;
using Xunit;
namespace Bit.Core.Test.Utilities;
public class HtmlEncodingStringConverterTests
{
[Fact]
public void Serialize_WhenEncodedValueIsNotNull_SerializesHtmlEncodedString()
{
// Arrange
var obj = new HtmlEncodedString
{
EncodedValue = "This is <b>bold</b>",
NonEncodedValue = "This is <b>bold</b>"
};
const string expectedJsonString = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
// This is necessary to prevent the serializer from double encoding the string
var serializerOptions = new JsonSerializerOptions
{
Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
};
// Act
var jsonString = JsonSerializer.Serialize(obj, serializerOptions);
// Assert
Assert.Equal(expectedJsonString, jsonString);
}
[Fact]
public void Serialize_WhenEncodedValueIsNull_SerializesNull()
{
// Arrange
var obj = new HtmlEncodedString
{
EncodedValue = null,
NonEncodedValue = null
};
const string expectedJsonString = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
// Act
var jsonString = JsonSerializer.Serialize(obj);
// Assert
Assert.Equal(expectedJsonString, jsonString);
}
[Fact]
public void Deserialize_WhenJsonContainsHtmlEncodedString_ReturnsDecodedString()
{
// Arrange
const string json = "{\"EncodedValue\":\"This is <b>bold</b>\",\"NonEncodedValue\":\"This is <b>bold</b>\"}";
const string expectedEncodedValue = "This is &lt;b&gt;bold&lt;/b&gt;";
const string expectedNonEncodedValue = "This is <b>bold</b>";
// Act
var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
// Assert
Assert.Equal(expectedEncodedValue, obj.EncodedValue);
Assert.Equal(expectedNonEncodedValue, obj.NonEncodedValue);
}
[Fact]
public void Deserialize_WhenJsonContainsNull_ReturnsNull()
{
// Arrange
const string json = "{\"EncodedValue\":null,\"NonEncodedValue\":null}";
// Act
var obj = JsonSerializer.Deserialize<HtmlEncodedString>(json);
// Assert
Assert.Null(obj.EncodedValue);
Assert.Null(obj.NonEncodedValue);
}
}
public class HtmlEncodedString
{
[JsonConverter(typeof(HtmlEncodingStringConverter))]
public string EncodedValue { get; set; }
public string NonEncodedValue { get; set; }
}