Download as
Browse Code »

Commit 520af0a8a47afb555228119748e68c5e93a8f37b

Authored by Antonio Terceiro
Committed by Joenio Costa
1 parent 50c9c297
Exists in staging and in 42 other branches all_pending_tasks_api, api-articles-period, api_roles, caching-rails4, captcha_serpro_plugin, comments_permissions, content-manager-hostspot, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export-comment-paragraph, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, fix_event_date_issue, fix_notification_email, fix_string_downcase_and_upcase, follower_permition, json_cookie_serializer, login-captcha, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, production-vendorized, profile_api_improvements, tasks_keep_filter_params, user_mention, webfinger_server

Make sure TinyMCE's abstract is XSS-proof 

The body is already extensively tested against XSS, and since both
abstract and body use the same validation I am only adding a new test
for the abstract to make sure it is being validated at all.
Showing 1 changed file with 5 additions and 0 deletions   Show diff stats
test/unit/tiny_mce_article_test.rb
  Diff comments   View file @520af0a
... ... @@ -118,6 +118,11 @@ class TinyMceArticleTest < Test::Unit::TestCase
118 118 assert_no_match /script/, article.name
119 119 end
120 120  
  121 + should 'not allow XSS on abstract' do
  122 + article = TinyMceArticle.create!(:name => "test 123", :abstract => 'abstract with <script>alert("xss")</script>', :profile => profile)
  123 + assert_no_match /script/, article.abstract
  124 + end
  125 +
121 126 should 'notifiable be true' do
122 127 a = fast_create(TinyMceArticle)
123 128 assert a.notifiable?
... ...