Add new test for Alpine.js attribute escaping

This commit introduces a new test case to ensure proper HTML escaping for Alpine.js attributes in templates. The test checks that potentially harmful JavaScript within `x-init` attributes is correctly escaped to prevent XSS attacks, similar to the existing test for `onclick` attributes.
tschuehly · Oct 25, 2024 · 909c9ad · 909c9ad
1 parent c3c3e46
commit 909c9ad
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java b/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java
@@ -927,9 +927,17 @@ void script4() {
     void onMethods() {
         codeResolver.givenCode("template.jte", "@param String userName\n\n<span onclick=\"showName('${userName}')\">Click me</span>");
 
-        templateEngine.render("template.jte", "'); alert('xss", output);
+        templateEngine.render("template.jte", "'\n); alert('xss", output);
 
-        assertThat(output.toString()).isEqualTo("\n<span onclick=\"showName('\\x27); alert(\\x27xss')\">Click me</span>");
+        assertThat(output.toString()).isEqualTo("\n<span onclick=\"showName('\\x27\\n); alert(\\x27xss')\">Click me</span>");
+    }
+    @Test
+    void alpineJs() {
+        codeResolver.givenCode("template.jte", "@param String userName\n\n<span x-init=\"showName('${userName}')\">Click me</span>");
+
+        templateEngine.render("template.jte", "\n'); alert('xss", output);
+
+        assertThat(output.toString()).isEqualTo("\n<span x-init=\"showName('\\x27\\n); alert(\\x27xss')\">Click me</span>");
     }
 
     @Test