Tests for checking path param in metadata form

UtrechtUniversity · Jan 10, 2024 · bc3b6e7 · bc3b6e7
1 parent 19ed0bb
commit bc3b6e7
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -365,3 +365,8 @@ def ui_module_shown(browser, module):
 @when(parsers.parse("the user navigates to {page}"))
 def ui_login_visit_groupmngr(browser, page):
     browser.visit("{}{}".format(portal_url, page))
+
+
+@then('the 404 error page is shown')
+def ui_404_error(browser):
+    browser.is_text_present("Page not found")
diff --git a/tests/features/api/api_deposit_restricted.feature b/tests/features/api/api_deposit_restricted.feature
@@ -15,7 +15,7 @@ Feature: Deposit API (restricted)
         Then the response status code is "200"
 
         Examples:
-            | file                   |
+            | file                              |
             | deposit_restricted_test_file1.txt |
             | deposit_restricted_test_file2.txt |
             | deposit_restricted_test_file3.txt |

diff --git a/tests/features/ui/ui_meta.feature b/tests/features/ui/ui_meta.feature
@@ -44,3 +44,13 @@ Feature: Meta UI
         Examples:
             | folder             |
             | research-default-3 |
+
+
+    Scenario Outline: Check that path is safe
+        Given user researcher is logged in
+        When the user navigates to <page>
+        Then the 404 error page is shown
+
+        Examples:
+            | page                                                                 |
+            | /research/metadata/form?path=<script>alert(document.domain)</script> |
diff --git a/tests/step_defs/ui/test_ui_browse.py b/tests/step_defs/ui/test_ui_browse.py
@@ -6,12 +6,6 @@
 
 from pytest_bdd import (
     scenarios,
-    then,
 )
 
 scenarios('../../features/ui/ui_browse.feature')
-
-
-@then('the 404 error page is shown')
-def ui_browse_404(browser):
-    browser.is_text_present("Page not found")