Add tests for e() helper and script tag removal

dansysanalyst · Apr 30, 2024 · 03561b8 · 03561b8
1 parent 87ff5a9
commit 03561b8
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/tests/Feature/PowerGridFieldsTest.php b/tests/Feature/PowerGridFieldsTest.php
@@ -5,6 +5,36 @@
 
 use function PowerComponents\LivewirePowerGrid\Tests\Plugins\livewire;
 
+it('removes <script> tag from custom field', function (string $component, object $params) {
+    Order::first()->update(['link' => 'hello there! <script>alert(document.cookie)</script>']);
+
+    livewire($component)
+        ->call($params->theme)
+        ->assertDontSeeHtml('&lt;script&gt;alert')
+        ->assertDontSeeHtml('<script>alert')
+        ->assertSeeHtml('hello there!');
+})->with('order_table');
+
+it('runs e() helper in PG fields', function (string $component, object $params) {
+    Order::first()->update(['name' => '<img src="invalid_url.png" onerror=alert(document.cookie)>']);
+
+    livewire($component)
+        ->call($params->theme)
+        ->assertDontSeeHtml('<img src="invalid_url.png"')
+        ->assertSeeHtml('<div>&lt;img src=&quot;invalid_url.png&quot; onerror=alert(document.cookie)&gt;');
+})->with('order_table');
+
+it('does not run e() in custom PG fields', function (string $component, object $params) {
+    $link = '<a href="https://google.com" target="_blank">Link from closure</a>';
+
+    Order::first()->update(['link' => $link]);
+
+    livewire($component)
+        ->call($params->theme)
+        ->assertDontSeeHtml(e($link))
+        ->assertSeeHtml($link);
+})->with('order_table');
+
 it('can fields with casting and custom fields', function (string $component, object $params) {
     livewire($component)
         ->call($params->theme)