package com.atlassian.jira.webtests.ztests.issue;

import com.atlassian.jira.functest.framework.FuncTestCase;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.atlassian.jira.webtests.ztests.workflow.TestWorkFlowActions;
import com.meterware.httpunit.WebLink;
import junit.framework.AssertionFailedError;
import org.xml.sax.SAXException;

@WebTest({Category.FUNC_TEST, Category.COMMENTS, Category.FIELDS})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/issue/TestWikiRendererXSS.class */
public class TestWikiRendererXSS extends FuncTestCase {
    public void testCodeMacro() {
        this.administration.restoreData("TestWikiRendererXSSInLink.xml");
        this.navigation.issue().addComment(TestWorkFlowActions.issueKey, "{code:lang=x\"</pre><script>alert(1)</script>}xxx{code}", null);
        this.navigation.issue().viewIssue(TestWorkFlowActions.issueKey);
        this.assertions.assertNodeDoesNotHaveText("//div[@id='comment-10020']/div[1]//pre", "alert(1)\">xxx");
        this.assertions.assertNodeHasText("//div[@id='comment-10020']/div[1]//pre", "xxx");
    }

    public void testXSSLinks() {
        this.administration.restoreData("TestWikiRendererXSSInLink.xml");
        this.navigation.issue().viewIssue(TestWorkFlowActions.issueKey);
        assertLinkPresent("test email link", "mailto:whatever@broken.com\" onclick=\"alert('hi. I am a fun onclick event')");
        assertLinkPresent("test file link", "file:anything\" onclick=\"alert('hi. I am a fun onclick event')");
        assertLinkPresent("test http link", "http://www.atlassian.com\" onclick=\"alert('hi. I am a fun onclick event')");
        assertLinkPresent("bad user", "secure/ViewProfile.jspa?name=bad%22+onclick%3Dalert%28%27bad%27%29");
        assertLinkPresent("attachment xss", "secure/attachment/10000/10000_%23b+onclick%3Dalert%28%27b%27%29.png");
        assertLinkPresent("escaped", "<escaped>");
        assertEquals("brenden\" onclick=\"alert('XSS')", getLinkWithName("anchor").getFragmentIdentifier());
    }

    private void assertLinkPresent(String str, String str2) {
        WebLink linkWithName = getLinkWithName(str);
        assertTrue("Link should have ended with '" + str2 + "' but actually was '" + linkWithName.getURLString() + "'", linkWithName.getURLString().endsWith(str2));
    }

    private WebLink getLinkWithName(String str) {
        try {
            return this.tester.getDialog().getResponse().getLinkWith(str);
        } catch (SAXException e) {
            AssertionFailedError assertionFailedError = new AssertionFailedError("Unable to read in document to find link with text'" + str + "'.");
            assertionFailedError.initCause(e);
            throw assertionFailedError;
        }
    }
}
