@@ -317,7 +317,7 @@ def overlay_experience_request_body(self) -> dict:
317317 "disabled" : False ,
318318 "privacy_preferences_link_label" : "Manage preferences" ,
319319 "privacy_policy_link_label" : "View our privacy policy" ,
320- "privacy_policy_url" : "example.com/privacy" ,
320+ "privacy_policy_url" : "http:// example.com/privacy" ,
321321 "reject_button_label" : "Reject all" ,
322322 "regions" : [],
323323 "save_button_label" : "Save" ,
@@ -455,7 +455,7 @@ def test_create_another_default_experience_config(
455455 "description" : "We take your privacy seriously" ,
456456 "is_default" : True ,
457457 "privacy_policy_link_label" : "Manage your privacy" ,
458- "privacy_policy_url" : "example.com/privacy" ,
458+ "privacy_policy_url" : "http:// example.com/privacy" ,
459459 "reject_button_label" : "No" ,
460460 "save_button_label" : "Save" ,
461461 "title" : "Manage your privacy" ,
@@ -469,6 +469,39 @@ def test_create_another_default_experience_config(
469469 == "Cannot set as the default. Only one default privacy_center config can be in the system."
470470 )
471471
472+ @pytest .mark .parametrize (
473+ "invalid_url" ,
474+ [
475+ "thisisnotaurl" ,
476+ "javascript:alert('XSS: domain scope: '+document.domain)" ,
477+ ],
478+ )
479+ def test_create_experience_config_with_invalid_policy_url (
480+ self , api_client : TestClient , url , generate_auth_header , db , invalid_url
481+ ) -> None :
482+ """
483+ Verify that an invalid Privacy Policy URL returns a 422.
484+ """
485+ auth_header = generate_auth_header (
486+ scopes = [scopes .PRIVACY_EXPERIENCE_CREATE , scopes .PRIVACY_EXPERIENCE_UPDATE ]
487+ )
488+ response = api_client .post (
489+ url ,
490+ json = {
491+ "accept_button_label" : "Yes" ,
492+ "banner_enabled" : "always_disabled" ,
493+ "component" : "privacy_center" ,
494+ "description" : "We take your company's privacy seriously" ,
495+ "privacy_policy_link_label" : "Manage your privacy" ,
496+ "privacy_policy_url" : invalid_url ,
497+ "reject_button_label" : "No" ,
498+ "save_button_label" : "Save" ,
499+ "title" : "Manage your privacy" ,
500+ },
501+ headers = auth_header ,
502+ )
503+ assert response .status_code == 422
504+
472505 def test_create_experience_config_with_no_regions (
473506 self , api_client : TestClient , url , generate_auth_header , db
474507 ) -> None :
@@ -487,7 +520,7 @@ def test_create_experience_config_with_no_regions(
487520 "component" : "privacy_center" ,
488521 "description" : "We take your company's privacy seriously" ,
489522 "privacy_policy_link_label" : "Manage your privacy" ,
490- "privacy_policy_url" : "example.com/privacy" ,
523+ "privacy_policy_url" : "http:// example.com/privacy" ,
491524 "reject_button_label" : "No" ,
492525 "save_button_label" : "Save" ,
493526 "title" : "Manage your privacy" ,
@@ -503,7 +536,7 @@ def test_create_experience_config_with_no_regions(
503536 resp ["description" ] == "We take your company's privacy seriously"
504537 ) # Returned in the response, unescaped, for display
505538 assert resp ["privacy_policy_link_label" ] == "Manage your privacy"
506- assert resp ["privacy_policy_url" ] == "example.com/privacy"
539+ assert resp ["privacy_policy_url" ] == "http:// example.com/privacy"
507540 assert resp ["regions" ] == []
508541 assert resp ["reject_button_label" ] == "No"
509542 assert resp ["save_button_label" ] == "Save"
@@ -551,7 +584,7 @@ def test_create_experience_config_with_empty_regions(
551584 "component" : "privacy_center" ,
552585 "description" : "We take your privacy seriously" ,
553586 "privacy_policy_link_label" : "Manage your privacy" ,
554- "privacy_policy_url" : "example.com/privacy" ,
587+ "privacy_policy_url" : "http:// example.com/privacy" ,
555588 "regions" : [],
556589 "reject_button_label" : "No" ,
557590 "save_button_label" : "Save" ,
@@ -566,7 +599,7 @@ def test_create_experience_config_with_empty_regions(
566599 assert resp ["component" ] == "privacy_center"
567600 assert resp ["description" ] == "We take your privacy seriously"
568601 assert resp ["privacy_policy_link_label" ] == "Manage your privacy"
569- assert resp ["privacy_policy_url" ] == "example.com/privacy"
602+ assert resp ["privacy_policy_url" ] == "http:// example.com/privacy"
570603 assert resp ["regions" ] == []
571604 assert resp ["reject_button_label" ] == "No"
572605 assert resp ["save_button_label" ] == "Save"
@@ -624,7 +657,7 @@ def test_create_experience_config_no_existing_experiences(
624657 "description" : "We care about your privacy. Opt in and opt out of the data use cases below." ,
625658 "privacy_preferences_link_label" : "Control your privacy" ,
626659 "privacy_policy_link_label" : "Control your privacy" ,
627- "privacy_policy_url" : "example.com/privacy" ,
660+ "privacy_policy_url" : "http:// example.com/privacy" ,
628661 "regions" : ["us_ny" ],
629662 "reject_button_label" : "Reject all" ,
630663 "save_button_label" : "Save" ,
@@ -645,7 +678,7 @@ def test_create_experience_config_no_existing_experiences(
645678 )
646679 assert resp ["privacy_preferences_link_label" ] == "Control your privacy"
647680 assert resp ["privacy_policy_link_label" ] == "Control your privacy"
648- assert resp ["privacy_policy_url" ] == "example.com/privacy"
681+ assert resp ["privacy_policy_url" ] == "http:// example.com/privacy"
649682 assert resp ["regions" ] == ["us_ny" ]
650683 assert resp ["reject_button_label" ] == "Reject all"
651684 assert resp ["save_button_label" ] == "Save"
@@ -667,7 +700,7 @@ def test_create_experience_config_no_existing_experiences(
667700 experience_config .privacy_preferences_link_label == "Control your privacy"
668701 )
669702 assert experience_config .privacy_policy_link_label == "Control your privacy"
670- assert experience_config .privacy_policy_url == "example.com/privacy"
703+ assert experience_config .privacy_policy_url == "http:// example.com/privacy"
671704 assert experience_config .regions == [PrivacyNoticeRegion .us_ny ]
672705 assert experience_config .reject_button_label == "Reject all"
673706 assert experience_config .save_button_label == "Save"
@@ -700,7 +733,9 @@ def test_create_experience_config_no_existing_experiences(
700733 experience_config_history .privacy_policy_link_label
701734 == "Control your privacy"
702735 )
703- assert experience_config_history .privacy_policy_url == "example.com/privacy"
736+ assert (
737+ experience_config_history .privacy_policy_url == "http://example.com/privacy"
738+ )
704739 assert experience_config_history .reject_button_label == "Reject all"
705740 assert experience_config_history .save_button_label == "Save"
706741 assert experience_config_history .title == "Control your privacy"
@@ -758,7 +793,7 @@ def test_create_experience_config_existing_experiences(
758793 "description" : "We care about your privacy. Opt in and opt out of the data use cases below." ,
759794 "privacy_preferences_link_label" : "Control your privacy" ,
760795 "privacy_policy_link_label" : "Control your privacy" ,
761- "privacy_policy_url" : "example.com/privacy" ,
796+ "privacy_policy_url" : "http:// example.com/privacy" ,
762797 "regions" : ["us_tx" ],
763798 "reject_button_label" : "Reject all" ,
764799 "save_button_label" : "Save" ,
@@ -779,7 +814,7 @@ def test_create_experience_config_existing_experiences(
779814 )
780815 assert resp ["privacy_preferences_link_label" ] == "Control your privacy"
781816 assert resp ["privacy_policy_link_label" ] == "Control your privacy"
782- assert resp ["privacy_policy_url" ] == "example.com/privacy"
817+ assert resp ["privacy_policy_url" ] == "http:// example.com/privacy"
783818 assert resp ["regions" ] == ["us_tx" ]
784819 assert resp ["reject_button_label" ] == "Reject all"
785820 assert resp ["save_button_label" ] == "Save"
@@ -957,7 +992,7 @@ def overlay_experience_config(self, db) -> PrivacyExperienceConfig:
957992 "disabled" : False ,
958993 "privacy_preferences_link_label" : "Manage preferences" ,
959994 "privacy_policy_link_label" : "View our privacy policy" ,
960- "privacy_policy_url" : "example.com/privacy" ,
995+ "privacy_policy_url" : "http:// example.com/privacy" ,
961996 "reject_button_label" : "Reject all" ,
962997 "save_button_label" : "Save" ,
963998 "title" : "Control your privacy" ,
0 commit comments