Reapply fix for issue #494

Avoid exploit of cross site scripting in login view.
Thanks to Lokesh (@lokesh1095) for the report and solution.
GitLab issue #494.

Signed-off-by: Roberto Rosario <roberto.rosario@mayan-edms.com>

HISTORY.rst

@@ -21,6 +21,9 @@
 - Add test for issue #494.
 - Add support for configurate test view template.
 - Add support for public test views.
+- Reapply fix for issue #494. To avoid exploit of cross site scripting in
+  login view. Thanks to Lokesh (@lokesh1095) for the report and solution.
+  GitLab issue #494.
 
 3.3.5 (2019-12-13)
 ==================

mayan/apps/appearance/templates/appearance/base_plain.html

@@ -28,7 +28,7 @@
             // template.
             var currentHash = window.location.hash;
             if (currentHash.length) {
-                window.location = currentHash.substring(1);
+                window.location.pathname = currentHash.substring(1);
             }
         </script>
     </head>

mayan/apps/appearance/tests/test_views.py

@@ -1,17 +1,25 @@
 from __future__ import absolute_import, unicode_literals
 
+from selenium.common.exceptions import NoAlertPresentException
 from selenium.webdriver.firefox.webdriver import WebDriver
 
 from django.conf import settings
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.urls import reverse
 
+from mayan.apps.common.tests.base import GenericViewTestCase
+
+
+class BasePlainViewTestCase(GenericViewTestCase, StaticLiveServerTestCase):
+    auto_add_test_view = True
+    test_view_url = r'^javascript:alert\("XSS"\)/$'
+    test_view_is_public = True
+    test_view_template = 'javascript_view'
 
-class BasePlainViewTestCase(StaticLiveServerTestCase):
     @classmethod
     def setUpClass(cls):
         super(BasePlainViewTestCase, cls).setUpClass()
-        cls.selenium = WebDriver()
+        cls.selenium = WebDriver(log_path='/dev/null')
 
     @classmethod
     def tearDownClass(cls):
@@ -19,9 +27,21 @@ class BasePlainViewTestCase(StaticLiveServerTestCase):
         super(BasePlainViewTestCase, cls).tearDownClass()
 
     def test_login_view_url_fragment_xss(self):
+        # Should redirect and not display an alert
         url = '{}{}{}'.format(
             self.live_server_url, reverse(viewname=settings.LOGIN_URL),
             '#javascript:alert("XSS")'
         )
         self.selenium.get(url=url)
-        self.selenium.find_element_by_xpath(xpath='//button[@name="submit"]')
+
+        with self.assertRaises(NoAlertPresentException):
+            self.selenium.switch_to_alert()
+
+    def test_login_view_url_redirect(self):
+        url = '{}{}{}'.format(
+            self.live_server_url, reverse(viewname=settings.LOGIN_URL),
+            '#javascript:alert("XSS")'
+        )
+        self.selenium.get(url=url)
+
+        self.assertTrue(self.test_view_template in self.selenium.page_source)