diff --git a/tcms/kiwi_attachments/tests/test_validators.py b/tcms/kiwi_attachments/tests/test_validators.py index 40b2ae0b1a..ec9228e8d4 100644 --- a/tcms/kiwi_attachments/tests/test_validators.py +++ b/tcms/kiwi_attachments/tests/test_validators.py @@ -25,6 +25,19 @@ def test_uploading_svg_with_inline_script_should_fail(self, file_name): with self.assertRaisesRegex(Fault, message): self.rpc_client.User.add_attachment("inline_javascript.svg", b64) + @parameterized.expand( + [ + "svg_with_onload_attribute.svg", + ] + ) + def test_uploading_svg_with_forbidden_attributes_should_fail(self, file_name): + with open(f"tests/ui/data/{file_name}", "rb") as svg_file: + b64 = base64.b64encode(svg_file.read()).decode() + + message = str(_("File contains forbidden attribute:")) + with self.assertRaisesRegex(Fault, message): + self.rpc_client.User.add_attachment("image.svg", b64) + def test_uploading_filename_ending_in_dot_exe_should_fail(self): message = str(_("Uploading executable files is forbidden")) with self.assertRaisesRegex(Fault, message): diff --git a/tcms/kiwi_attachments/validators.py b/tcms/kiwi_attachments/validators.py index 696a14399b..26b735b7f7 100644 --- a/tcms/kiwi_attachments/validators.py +++ b/tcms/kiwi_attachments/validators.py @@ -7,6 +7,9 @@ def deny_uploads_containing_script_tag(uploaded_file): if chunk.lower().find(b" -1: raise ValidationError(_("File contains forbidden