Skip to first unread message
Harry King
Aug 12, 2015, 6:46:06 AM8/12/15
to Serenity BDD Users Group
Hi John,
I've started to test XSS vulnerabilities using Serenity, and unfortunately, the report is also vulnerable!
I have the following scenario:
Scenario: Search using a script tag is escaped
When candidate searches for <script>alert("Test Failed");</script> by keyword
Then the script tag is ignored for keywords
When candidate searches for <script>alert("Test Failed");</script> by keyword
Then the script tag is ignored for keywords
Which causes several alerts to be displayed when drilling down into the report! The definition for the When statement takes a string argument. I know I could work around the issue by moving the criteria into a dedicated defintion, but I was wondering if its something you would consider escaping?
Kind regards,
Harry
Reply all
Reply to author
Forward
0 new messages