root/test/acts_as_sanitized_test.rb

Revision 1, 3.0 kB (checked in by al..@al3x.net, 2 years ago)

initial commit

Line 
1 require File.join(File.dirname(__FILE__), 'setup_test')
2
3 class ActsAsSanitizedTest < Test::Unit::TestCase 
4   def test_field_specification
5     e = Entry.new(:title => "Test entry",
6                   :body => "Lorem ipsum etc. etc.",
7                   :extended => "Yet more lorem ipsum...",
8                   :person_id => 1)
9                  
10     assert_equal ["title", "body"], e.acts_as_sanitized_options[:fields]
11   end
12  
13   def test_field_discovery
14     c = Comment.new(:person_id => 1,
15                     :title => "Test title",
16                     :body => "Test body")
17    
18     assert_equal ["title", "body"], c.acts_as_sanitized_options[:fields]
19   end
20  
21   def test_uncontaminated_model
22     m = Message.new(:person_id => 1, :recipient_id => 2, :body => "Test body")
23  
24     assert_raise(NoMethodError) { m.acts_as_sanitized_options }
25   end
26  
27   def test_sanitization_on_specified_fields
28     e = Entry.new(:title => "<script>alert('xss in title')</script>",
29                   :body => "<script>alert('xss in body')</script>",
30                   :extended => "<script>alert('xss in extended')</script>",
31                   :person_id => 1)
32     e.save
33    
34     assert_not_equal "<script>alert('xss in title')</script>", e.title
35     assert_equal "&lt;script>alert('xss in title')&lt;/script>", e.title
36    
37     assert_not_equal "<script>alert('xss in body')</script>", e.body
38     assert_equal "&lt;script>alert('xss in body')&lt;/script>", e.body
39    
40     assert_equal "<script>alert('xss in extended')</script>", e.extended
41   end
42  
43   def test_sanitization_on_discovered_fields
44     c = Comment.new(:person_id => 1,
45                     :title => "<script>alert('xss in title')</script>",
46                     :body => "<script>alert('xss in body')</script>")
47     c.save
48                    
49     assert_not_equal "<script>alert('xss in title')</script>", c.title
50     assert_equal "&lt;script>alert('xss in title')&lt;/script>", c.title
51    
52     assert_not_equal "<script>alert('xss in body')</script>", c.body
53     assert_equal "&lt;script>alert('xss in body')&lt;/script>", c.body             
54   end
55  
56   def test_html_stripping_on_discovered_fields
57     m = Person.new(:name => "<strong>Mallory</strong>")
58     m.save
59    
60     assert m.acts_as_sanitized_options[:strip_tags]
61     assert_not_equal "<strong>Mallory</strong>", m.name
62     assert_equal "Mallory", m.name
63   end
64  
65   def test_html_stripping_on_specified_fields
66     r = Review.new(:title => "<script>alert('xss in title')</script>",
67                    :body => "<script>alert('xss in body')</script>",
68                    :extended => "<script>alert('xss in extended')</script>",
69                    :person_id => 1)
70     r.save
71    
72     assert_not_equal "<script>alert('xss in title')</script>", r.title
73     assert_equal "alert('xss in title')", r.title
74    
75     assert_not_equal "<script>alert('xss in body')</script>", r.body
76     assert_equal "alert('xss in body')", r.body
77    
78     assert_equal "<script>alert('xss in extended')</script>", r.extended
79   end
80 end
Note: See TracBrowser for help on using the browser.