package com.atlassian.jira.webtests.ztests.issue;

import com.atlassian.jira.functest.framework.FuncTestCase;
import com.atlassian.jira.functest.framework.FunctTestConstants;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.google.common.collect.ImmutableMap;
import com.meterware.httpunit.HttpUnitOptions;
import java.io.IOException;

@WebTest({Category.FUNC_TEST, Category.ISSUES, Category.SECURITY})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/issue/TestXmlIssueViewXss.class */
public class TestXmlIssueViewXss extends FuncTestCase {
    private static final String XSS_ALERT_RAW = "\"alert('surprise!')";
    private static final String XSS_ALERT_XML_ESCAPED = "&quot;alert(&apos;surprise!&apos;)";

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.atlassian.jira.functest.framework.FuncTestCase
    public void setUpHttpUnitOptions() {
        super.setUpHttpUnitOptions();
        HttpUnitOptions.setExceptionsThrownOnErrorStatus(false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.atlassian.jira.functest.framework.FuncTestCase
    public void setUpTest() {
        super.setUpTest();
        this.navigation.login("admin");
        this.administration.restoreBlankInstance();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.atlassian.jira.functest.framework.FuncTestCase
    public void tearDownTest() {
        this.navigation.login("admin");
        HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
        super.tearDownTest();
    }

    public void testXssInModuleKeyParam() throws IOException {
        this.tester.gotoPage("/si/jira.issueviews:<script>alert('XSS')<script>/HSP-1/HSP-1.xml");
        assertFalse(this.tester.getDialog().getResponse().getText().contains("<script>alert('XSS')<script>"));
    }

    public void testXssInIssueKeyParam() throws IOException {
        this.tester.gotoPage("/si/jira.issueviews:HSP/<script>alert('XSS')<script>");
        assertFalse(this.tester.getDialog().getResponse().getText().contains("<script>alert('XSS')<script>"));
    }

    public void testUsernameAndFullnameEscaping() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.login(XSS_ALERT_RAW, "password");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug"));
        this.assertions.getTextAssertions().assertTextPresent(XSS_ALERT_XML_ESCAPED);
        this.assertions.getTextAssertions().assertTextNotPresent(XSS_ALERT_RAW);
    }

    public void testUsernameAndFullnameEscapingOnUserPicker() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug", ImmutableMap.of(this.administration.customFields().addCustomField(builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_USERPICKER), "test-xss"), new String[]{XSS_ALERT_RAW})));
        this.assertions.getTextAssertions().assertTextPresent(XSS_ALERT_XML_ESCAPED);
        this.assertions.getTextAssertions().assertTextNotPresent(XSS_ALERT_RAW);
    }

    public void testUsernameAndFullnameEscapingOnMultiUserPicker() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug", ImmutableMap.of(this.administration.customFields().addCustomField(builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_MULTIUSERPICKER), "test-xss"), new String[]{XSS_ALERT_RAW, "admin"})));
        this.assertions.getTextAssertions().assertTextPresent("<customfieldvalue><![CDATA[\"alert('surprise!')]]></customfieldvalue>");
        this.assertions.getTextAssertions().assertTextPresentNumOccurences(XSS_ALERT_RAW, 1);
    }
}
