kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
4e11dd24901943da6f3a7df59e423a881248300b
Timmy-time-dashboard/tests/security/test_xss_prevention.py
Claude 4e11dd2490 refactor: Phase 3 — reorganize tests into module-mirroring subdirectories 
Move 97 test files from flat tests/ into 13 subdirectories:
  tests/dashboard/   (8 files — routes, mobile, mission control)
  tests/swarm/       (17 files — coordinator, docker, routing, tasks)
  tests/timmy/       (12 files — agent, backends, CLI, tools)
  tests/self_coding/  (14 files — git safety, indexer, self-modify)
  tests/lightning/   (3 files — L402, LND, interface)
  tests/creative/    (8 files — assembler, director, image/music/video)
  tests/integrations/ (10 files — chat bridge, telegram, voice, websocket)
  tests/mcp/         (4 files — bootstrap, discovery, executor)
  tests/spark/       (3 files — engine, tools, events)
  tests/hands/       (3 files — registry, oracle, phase5)
  tests/scripture/   (1 file)
  tests/infrastructure/ (3 files — router cascade, API)
  tests/security/    (3 files — XSS, regression)

Fix Path(__file__) reference in test_mobile_scenarios.py for new depth.
Add __init__.py to all test subdirectories.

Tests: 1503 passed, 9 failed (pre-existing), 53 errors (pre-existing)

https://claude.ai/code/session_019oMFNvD8uSGSSmBMGkBfQN
2026-02-26 21:21:28 +00:00

26 lines
1009 B
Python
Raw Blame History

"""Regression tests for XSS prevention in the dashboard."""
import pytest
from fastapi.testclient import TestClient
def test_mobile_test_page_xss_prevention(client: TestClient):
"""
Verify that the mobile-test page uses safer DOM manipulation.
This test checks the template content for the presence of textContent
and proper usage of innerHTML for known safe constants.
"""
response = client.get("/mobile-test")
assert response.status_code == 200
content = response.text
# Check that we are using textContent for dynamic content
assert "textContent =" in content
# Check that we've updated the summaryBody.innerHTML usage to be safer
# or replaced with appendChild/textContent where appropriate.
# The fix uses innerHTML with template literals for structural parts
# but textContent for data parts.
assert "summaryBody.innerHTML = '';" in content
assert "p.textContent =" in content
assert "statusMsg.textContent =" in content
View Git Blame Copy Permalink