# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. from unittest.mock import patch, PropertyMock from flask import current_app from superset.models.dashboard import Dashboard def test_dashboard_link_escapes_slug(app_context: None) -> None: """dashboard_link must HTML-escape the user-controlled slug in the href. The slug can carry markup via the import path (which does not run the REST API's slug sanitization), so the rendered FAB list-view link must escape it. `url_for` percent-encodes path params and `escape()` HTML-encodes the result before Markup-marking; the rendered link must contain neither the raw injected script tag nor an unescaped attribute breakout. """ dash = Dashboard() dash.id = 1 dash.dashboard_title = "My Dashboard" dash.slug = '">' with current_app.test_request_context("/"): link = str(dash.dashboard_link()) # The injected script tag / attribute breakout must be escaped away. assert "