groups_field_injection.feature 939 Bytes
Newer Older
1
2
3
4
5
6
7
8
@javascript @core @core_administration
 Feature:Injecting sql in groups search field
  In order to inject javascript in group search field and group name field
  As an admin
  To see if mahara is secure enough

Scenario:Injecting sql in groups search field
  Given I log in as "admin" with password "Kupuhipa1"
9
  And I choose "My groups" in "Groups" from main menu
10
11
12
13
14
15
16
17
  And I click on "Create group"
  And I set the following fields to these values:
  | Group name | <script>alert(1);</script> |
  | Group description | <script>alert(1);</script> |
  | Open| Off |
  | Hide group | Off |
  And I press "Save group"
  And I should see "Group saved successfully"
18
  And I choose "Administer groups" in "Groups" from administration menu
19
20
21
  When I set the following fields to these values:
   | search_query | <script>alert(1);</script> |
  And I press "search_submit"
22
23
  And I follow "About"
  And I should see "About us"
24
  Then I go to "homepage"