# HG changeset patch
# User Alain Mazy <am@osimis.io>
# Date 1702372477 -3600
# Node ID 3cb7c6162c77f7eec03de32ffd37bb7c8fea190f
# Parent  c28bd957cb939e4291b09af14f179df6e637bb1a
new test for XSS

diff -r c28bd957cb93 -r 3cb7c6162c77 Tests/Tests.py
--- a/Tests/Tests.py	Sat Nov 25 12:23:45 2023 +0100
+++ b/Tests/Tests.py	Tue Dec 12 10:14:37 2023 +0100
@@ -10023,3 +10023,23 @@
             self.assertEqual('M3D', tags['Modality'])
             self.assertEqual('model/obj', tags['MIMETypeOfEncapsulatedDocument'])
             self.assertEqual('1.2.840.10008.5.1.4.1.1.104.4', tags['SOPClassUID'])
+
+
+    def test_error_codes_content_type(self):
+
+        # from 1.12.2, check that a ContentType header is included in errors with an error description (ex: 404)
+        (headers, body) = DoGetRaw(_REMOTE, '/rnm94%3Cscript%3Ealert(1)%3C/script%3Ejdtkc/explorer.html')
+        self.assertEqual('404', headers['status'])
+
+        if IsOrthancVersionAbove(_REMOTE, 1, 12, 2):
+            self.assertEqual('application/json', headers['content-type'])
+
+        (headers, body) = DoPutRaw(_REMOTE, '/system', 'hello')
+        self.assertEqual('405', headers['status'])
+        # when there is no body, there is no content-type
+        self.assertNotIn('content-type', headers)
+
+        # responses with bodies contain x-content-type-options
+        if IsOrthancVersionAbove(_REMOTE, 1, 12, 2):
+            (headers, body) = DoGetRaw(_REMOTE, '/system')
+            self.assertIn('nosniff', headers['x-content-type-options'])