Add new test for Alpine.js attribute escaping

tschuehly · Oct 9, 2024 · 23afcaa · 23afcaa
1 parent c3c3e46
commit 23afcaa
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java b/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java
@@ -927,9 +927,17 @@ void script4() {
     void onMethods() {
         codeResolver.givenCode("template.jte", "@param String userName\n\n<span onclick=\"showName('${userName}')\">Click me</span>");
 
-        templateEngine.render("template.jte", "'); alert('xss", output);
+        templateEngine.render("template.jte", "'\n); alert('xss", output);
 
-        assertThat(output.toString()).isEqualTo("\n<span onclick=\"showName('\\x27); alert(\\x27xss')\">Click me</span>");
+        assertThat(output.toString()).isEqualTo("\n<span onclick=\"showName('\\x27\\n); alert(\\x27xss')\">Click me</span>");
+    }
+    @Test
+    void alpineJs() {
+        codeResolver.givenCode("template.jte", "@param String userName\n\n<span x-init=\"showName('${userName}')\">Click me</span>");
+
+        templateEngine.render("template.jte", "\n'); alert('xss", output);
+
+        assertThat(output.toString()).isEqualTo("\n<span x-init=\"showName('\\x27\\n); alert(\\x27xss')\">Click me</span>");
     }
 
     @Test