From 1f9026f29501ce8557e35c952edf2b78dbf8a515 Mon Sep 17 00:00:00 2001
From: Veloman Yunkan <veloman.yunkan@gmail.com>
Date: Thu, 25 Jan 2024 15:02:43 +0400
Subject: [PATCH] "</script>" inside KIWIX_RESPONSE_DATA is bad

Added a test case demonstrating how a bad error response could be
generated if </script> appears inside KIWIX_RESPONSE_DATA. That seems to
be the only problematic interaction between HTML-like syntax inside
javascript code (hence the deleted XXX comments on the other two test
cases).
---
 test/server.cpp | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/test/server.cpp b/test/server.cpp
index cf7e0a46f..4a188619d 100644
--- a/test/server.cpp
+++ b/test/server.cpp
@@ -787,8 +787,6 @@ TEST_F(ServerTest, Http404HtmlError)
 )"  },
 
     { /* url */ R"(/ROOT%23%3F/content/"><svg onload=alert(1)>)",
-      // XXX: This test case suggests that KIWIX_RESPONSE_DATA
-      // XXX: must be HTML-encoded, too
       expected_kiwix_response_data==R"({ "CSS_URL" : false, "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "url-not-found", "params" : { "url" : "/ROOT%23%3F/content/\"><svg onload%3Dalert(1)>" } } }, { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "\"><svg onload=alert(1)>", "SEARCH_URL" : "/ROOT%23%3F/search?pattern=%22%3E%3Csvg%20onload%3Dalert(1)%3E" } } } ] })" &&
       expected_body==R"(
     <h1>Not Found</h1>
@@ -803,8 +801,6 @@ TEST_F(ServerTest, Http404HtmlError)
     { /* url */ R"(/ROOT%23%3F/content/zimfile/"><svg onload=alert(1)>)",
       book_name=="zimfile" &&
       book_title=="Ray Charles" &&
-      // XXX: This test case suggests that KIWIX_RESPONSE_DATA
-      // XXX: must be HTML-encoded, too
       expected_kiwix_response_data==R"({ "CSS_URL" : false, "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "url-not-found", "params" : { "url" : "/ROOT%23%3F/content/zimfile/\"><svg onload%3Dalert(1)>" } } }, { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "\"><svg onload=alert(1)>", "SEARCH_URL" : "/ROOT%23%3F/search?content=zimfile&pattern=%22%3E%3Csvg%20onload%3Dalert(1)%3E" } } } ] })" &&
       expected_body==R"(
     <h1>Not Found</h1>
@@ -816,6 +812,22 @@ TEST_F(ServerTest, Http404HtmlError)
     </p>
 )"  },
 
+    // XXX: This test case is against a "</script>" string appearing inside
+    // XXX: javascript code that will confuse the HTML parser
+    { /* url */ R"(/ROOT%23%3F/content/zimfile/</script>)",
+      book_name=="zimfile" &&
+      book_title=="Ray Charles" &&
+      expected_kiwix_response_data==R"({ "CSS_URL" : false, "PAGE_HEADING" : { "msgid" : "404-page-heading", "params" : { } }, "PAGE_TITLE" : { "msgid" : "404-page-title", "params" : { } }, "details" : [ { "p" : { "msgid" : "url-not-found", "params" : { "url" : "/ROOT%23%3F/content/zimfile/</script>" } } }, { "p" : { "msgid" : "suggest-search", "params" : { "PATTERN" : "script>", "SEARCH_URL" : "/ROOT%23%3F/search?content=zimfile&pattern=script%3E" } } } ] })" &&
+      expected_body==R"(
+    <h1>Not Found</h1>
+    <p>
+      The requested URL "/ROOT%23%3F/content/zimfile/&lt;/script&gt;" was not found on this server.
+    </p>
+    <p>
+      Make a full text search for <a href="/ROOT%23%3F/search?content=zimfile&pattern=script%3E">script&gt;</a>
+    </p>
+)"  },
+
     { /* url */ "/ROOT%23%3F/content/zimfile/invalid-article?userlang=test",
       expected_page_title=="[I18N TESTING] Not Found - Try Again" &&
       book_name=="zimfile" &&