seed(RoleSeeder::class);
$this->organisation = Organisation::factory()->create();
$this->admin = User::factory()->create();
$this->organisation->users()->attach($this->admin, ['role' => 'org_admin']);
$this->crowdType = CrowdType::factory()->systemType('VOLUNTEER')->create([
'organisation_id' => $this->organisation->id,
]);
$this->event = Event::factory()->create([
'organisation_id' => $this->organisation->id,
'status' => 'registration_open',
]);
}
// --- XSS Payload Storage ---
public function test_xss_in_person_name_is_stored_safely(): void
{
Sanctum::actingAs($this->admin);
$xssPayload = '';
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/persons", [
'crowd_type_id' => $this->crowdType->id,
'first_name' => $xssPayload,
'last_name' => 'Normal',
'email' => 'xss-test@example.com',
]);
$response->assertCreated();
// Value is stored as-is (Laravel escapes on output via {{ }})
$this->assertDatabaseHas('persons', [
'first_name' => $xssPayload,
'email' => 'xss-test@example.com',
]);
// API resource should return the raw string (Vue's {{ }} escapes it)
$response->assertJsonPath('data.first_name', $xssPayload);
}
public function test_xss_in_event_name_is_stored_safely(): void
{
Sanctum::actingAs($this->admin);
$xssPayload = '">
';
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
'name' => $xssPayload,
'slug' => 'xss-test-event',
'start_date' => '2026-07-01',
'end_date' => '2026-07-03',
]);
$response->assertCreated();
$response->assertJsonPath('data.name', $xssPayload);
}
public function test_xss_in_section_name_is_stored_safely(): void
{
Sanctum::actingAs($this->admin);
$xssPayload = '