From 8c412b391f9402f3840728ad1e6b8043e4ed8b7b Mon Sep 17 00:00:00 2001
From: Jocelyn Delalande <jocelyn@crapouillou.net>
Date: Wed, 22 Feb 2017 00:31:52 +0100
Subject: [PATCH] Add non-regression test for member name XSS

ref #173
---
 budget/tests.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/budget/tests.py b/budget/tests.py
index 2ee3d81..c650c80 100644
--- a/budget/tests.py
+++ b/budget/tests.py
@@ -911,6 +911,18 @@ class APITestCase(TestCase):
                 headers=self.get_auth("raclette"))
         self.assertStatus(404, req)
 
+    def test_username_xss(self):
+        # create a project
+        #self.api_create("raclette")
+        self.post_project("raclette")
+        self.login("raclette")
+
+        # add members
+        self.api_add_member("raclette", "<script>")
+
+        result = self.app.get('/raclette/')
+        self.assertNotIn("<script>", result.data)
+
     def test_weighted_bills(self):
         # create a project
         self.api_create("raclette")