Skip to content

[test-improver] Add XSS bypass bug-pin tests for StringUtils.sanitize()#66

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
test-assist/stringutils-sanitize-xss-bugtests-4e9cee650e0089d9
Draft

[test-improver] Add XSS bypass bug-pin tests for StringUtils.sanitize()#66
github-actions[bot] wants to merge 1 commit into
mainfrom
test-assist/stringutils-sanitize-xss-bugtests-4e9cee650e0089d9

Conversation

@github-actions

Copy link
Copy Markdown

🤖 Test Improver — automated AI assistant focused on improving tests.

Goal & Rationale

StringUtils.sanitize() is documented as "NOT proper HTML sanitization" and is easily bypassed via well-known XSS vectors (Issue #8). This PR adds 8 bug-pin tests that document every known bypass so that:

  1. They pass today, pinning the current broken behaviour.
  2. They fail if a partial fix is applied — alerting the maintainer that other bypass vectors still need attention.
  3. They serve as acceptance criteria — a real fix must change all assertions to verify the payload is cleaned.

Bypass Vectors Documented

Test Bypass vector Current sanitize() behaviour
testSanitize_imgOnerrorBypass <img src=x onerror=alert(1)> passes through unchanged
testSanitize_svgOnloadBypass <svg onload=alert(1)> passes through unchanged
testSanitize_uppercaseScriptNotStripped <SCRIPT>...</SCRIPT> passes through unchanged
testSanitize_mixedCaseScriptNotStripped <sCrIpT>...</sCrIpT> passes through unchanged
testSanitize_scriptWithSpaceNotStripped <script >...</script> closing tag stripped, opening passes through
testSanitize_javascriptProtocolBypass `<a href="(redacted) passes through unchanged
testSanitize_bodyOnloadBypass (body onload=...) passes through unchanged
testSanitize_iframeBypass `<iframe src="(redacted) passes through unchanged

No Code Changes

No production code was modified. No new dependencies added.

Test Status

[INFO] Tests run: 18, Failures: 0, Errors: 0, Skipped: 0  ← StringUtilsTest (10 existing + 8 new)
[INFO] Tests run: 46, Failures: 1, Errors: 1, Skipped: 7  ← full suite (2 pre-existing failures only)

Pre-existing failures (not caused by this PR):

Reproducibility

mvn test -B -Dtest=StringUtilsTest

Related

Generated by Test Improver · 90 AIC · ⌖ 9.66 AIC · ⊞ 10.9K ·
Comment /test-assist to run again

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/test-improver.md@1c6668b751c51af8571f01204ceffb19362e0f66

8 new bug-pin tests documenting the known XSS bypass vectors in sanitize().
Each test asserts the current broken behaviour so future changes surface
if a bypass is accidentally removed while others remain.

Bypass vectors pinned:
- <img src=x onerror=...>  (event handler on img tag)
- <svg onload=...>          (event handler on svg tag)
- <SCRIPT>...</SCRIPT>      (all-uppercase not stripped)
- <sCrIpT>...</sCrIpT>      (mixed-case not stripped)
- <script >...</script>     (space before > on opening tag)
- javascript: protocol in href/src
- <body onload=...>         (event handler on body)
- <iframe src="javascript:...">  (iframe not stripped)

No production code changed. No new dependencies.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants