diff --git a/tests/mutations/test_new_report.py b/tests/mutations/test_new_report.py index d841e56b94cc3a51d27cc0122878288d7bb42083..2f5197a04c4f8181478785fd0f995074e6a8137d 100644 --- a/tests/mutations/test_new_report.py +++ b/tests/mutations/test_new_report.py @@ -1,7 +1,6 @@ import pytest import arrow import json -from unittest.mock import patch from openlobby.core.auth import create_access_token from openlobby.core.models import User, Report @@ -108,3 +107,34 @@ def test_full_report(client, snapshot): assert report.our_participants == our_participants assert report.other_participants == other_participants assert report.extra is None + + +def test_input_sanitization(client): + query = """ + mutation newReport ($input: NewReportInput!) { + newReport (input: $input) { + report { + id + } + } + } + """ + input = { + 'title': '<s>No</s> tags', + 'body': 'some <a href="http://foo">link</a> <br>in body', + 'receivedBenefit': '<b>coffee</b>', + 'providedBenefit': '<li>tea', + 'ourParticipants': 'me, <u>myself</u>', + 'otherParticipants': '<strong>you!</strong>', + 'date': arrow.utcnow().isoformat(), + } + + call_api(client, query, input, 'wolfe') + + report = Report.objects.get() + assert report.title == 'No tags' + assert report.body == 'some link in body' + assert report.received_benefit == 'coffee' + assert report.provided_benefit == 'tea' + assert report.our_participants == 'me, myself' + assert report.other_participants == 'you!'