package com.atlassian.jira.webtests.ztests.issue;

import com.atlassian.jira.functest.framework.Administration;
import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.FunctTestConstants;
import com.atlassian.jira.functest.framework.HttpUnitConfiguration;
import com.atlassian.jira.functest.framework.LoginAs;
import com.atlassian.jira.functest.framework.RestoreBlankInstance;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import javax.inject.Inject;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;

@RestoreBlankInstance
@WebTest({Category.FUNC_TEST, Category.ISSUES, Category.SECURITY})
@LoginAs(user = "admin")
@HttpUnitConfiguration(throwOnErrorStatus = false)
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/issue/TestXmlIssueViewXss.class */
public class TestXmlIssueViewXss extends BaseJiraFuncTest {
    private static final String XSS_ALERT_RAW = "\"alert('surprise!')";
    private static final String XSS_ALERT_XML_ESCAPED = "&quot;alert(&apos;surprise!&apos;)";
    private static final String HTML_FRAGMENT = "/--><html><body>hi</body>;<!--";

    @Inject
    private Administration administration;

    @After
    public void tearDownTest() {
        this.navigation.login("admin");
    }

    @Test
    public void testXssInModuleKeyParam() throws IOException {
        this.tester.gotoPage("/si/jira.issueviews:<script>alert('XSS')<script>/HSP-1/HSP-1.xml");
        Assert.assertFalse(this.tester.getDialog().getResponse().getText().contains("<script>alert('XSS')<script>"));
    }

    @Test
    public void testXssInIssueKeyParam() throws IOException {
        this.tester.gotoPage("/si/jira.issueviews:HSP/<script>alert('XSS')<script>");
        Assert.assertFalse(this.tester.getDialog().getResponse().getText().contains("<script>alert('XSS')<script>"));
    }

    @Test
    public void testUsernameAndFullnameEscaping() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.login(XSS_ALERT_RAW, "password");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug"));
        this.assertions.getTextAssertions().assertTextPresent(XSS_ALERT_XML_ESCAPED);
        this.assertions.getTextAssertions().assertTextNotPresent(XSS_ALERT_RAW);
    }

    @Test
    public void testUsernameAndFullnameEscapingOnUserPicker() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug", ImmutableMap.of(createCustomField("test-xss", builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_USERPICKER), builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_USER_PICKER_GROUP_SEARCHER)), new String[]{XSS_ALERT_RAW})));
        this.assertions.getTextAssertions().assertTextPresent(XSS_ALERT_XML_ESCAPED);
        this.assertions.getTextAssertions().assertTextNotPresent(XSS_ALERT_RAW);
    }

    @Test
    public void testFullnamePresentOnUserPicker() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug", ImmutableMap.of(createCustomField("test-xss", builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_USERPICKER), builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_USER_PICKER_GROUP_SEARCHER)), new String[]{XSS_ALERT_RAW})));
        this.assertions.getTextAssertions().assertTextPresent("<customfieldvalue displayname=\"&quot;alert(&apos;surprise!&apos;)\">&quot;alert(&apos;surprise!&apos;)</customfieldvalue>");
    }

    private String builtInCustomFieldKey(String str) {
        return String.format("%s:%s", FunctTestConstants.BUILT_IN_CUSTOM_FIELD_KEY, str);
    }

    @Test
    public void testUsernameAndFullnameEscapingOnMultiUserPicker() {
        this.administration.usersAndGroups().addUser(XSS_ALERT_RAW, "password", XSS_ALERT_RAW, "xss@xss.com");
        this.navigation.issue().viewXml(this.navigation.issue().createIssue("monkey", null, "Just a bug", ImmutableMap.of(createCustomField("test-xss", builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_MULTIUSERPICKER), builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_USER_PICKER_GROUP_SEARCHER)), new String[]{XSS_ALERT_RAW, "admin"})));
        this.assertions.getTextAssertions().assertTextPresent("<customfieldvalue displayname=\"&quot;alert(&apos;surprise!&apos;)\"><![CDATA[\"alert('surprise!')]]></customfieldvalue>");
        this.assertions.getTextAssertions().assertTextPresentNumOccurences(XSS_ALERT_RAW, 1);
    }

    private String createCustomField(String str, String str2, String str3) {
        String createCustomField = this.backdoor.customFields().createCustomField(str, "", str2, str3);
        this.backdoor.screens().addFieldToScreen(FunctTestConstants.DEFAULT_FIELD_SCREEN_NAME, str);
        return createCustomField;
    }
}
