Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- def handlePost(): Action[NodeSeq] = Action.async(parse.xml) {
- implicit request =>
- Future.successful(Ok(request.body))
- }
- class RoutesSpec extends PlaySpec with GuiceOneAppPerSuite {
- "The POST route" must {
- "not handle XXE XML" in {
- val xml: Elem = scala.xml.XML.loadString(
- """<?xml version="1.0" encoding="utf-8"?>
- |<!DOCTYPE foo [
- |<!ELEMENT foo (bar)>
- | <!ELEMENT bar (#PCDATA)>
- |]>
- |<foo>
- | <bar>string</bar>
- |</foo>
- """.stripMargin)
- val Some(result) = route(app, FakeRequest(POST_REQUEST, "/my-route")
- .withXmlBody(xml))
- status(result) mustEqual 400 // currently returns 200
- }
- }
- }
- class RoutesSpec extends PlaySpec with GuiceOneAppPerSuite {
- "The POST route" must {
- "not handle XXE XML" in {
- val xml = scala.xml.Unparsed(
- """<?xml version="1.0" encoding="utf-8"?>
- |<!DOCTYPE foo [
- |<!ELEMENT foo (bar)>
- | <!ELEMENT bar (#PCDATA)>
- |]>
- |<foo>
- | <bar>string</bar>
- |</foo>
- """.stripMargin)
- val Some(result) = route(app, FakeRequest(POST_REQUEST, "/my-route")
- .withXmlBody(xml))
- status(result) mustEqual 400
- contentAsString(result) mustBe """{"statusCode":400,"message":"bad request"}"""
- }
- }
- }
Add Comment
Please, Sign In to add comment