Implement better scanning for embedded <script> tags in uploaded files

tcms/kiwi_attachments/tests/test_validators.py

@@ -5,13 +5,20 @@
 from xmlrpc.client import Fault
 
 from django.utils.translation import gettext_lazy as _
+from parameterized import parameterized
 
 from tcms.rpc.tests.utils import APITestCase
 
 
 class TestValidators(APITestCase):
-    def test_uploading_svg_with_inline_script_should_fail(self):
-        with open("tests/ui/data/inline_javascript.svg", "rb") as svg_file:
+    @parameterized.expand(
+        [
+            "inline_javascript.svg",
+            "inline_javascript_mixed_case.svg",
+        ]
+    )
+    def test_uploading_svg_with_inline_script_should_fail(self, file_name):
+        with open(f"tests/ui/data/{file_name}", "rb") as svg_file:
             b64 = base64.b64encode(svg_file.read()).decode()
 
             message = str(_("File contains forbidden <script> tag"))

tcms/kiwi_attachments/validators.py

@@ -4,7 +4,7 @@
 
 def deny_uploads_containing_script_tag(uploaded_file):
     for chunk in uploaded_file.chunks(2048):
-        if chunk.find(b"<script") > -1:
+        if chunk.lower().find(b"<script") > -1:
             raise ValidationError(_("File contains forbidden <script> tag"))