Download as
Browse Code »

Commit 520af0a8a47afb555228119748e68c5e93a8f37b

Authored by Antonio Terceiro
Committed by Joenio Costa
1 parent 50c9c297
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Make sure TinyMCE's abstract is XSS-proof 

The body is already extensively tested against XSS, and since both
abstract and body use the same validation I am only adding a new test
for the abstract to make sure it is being validated at all.
Showing 1 changed file with 5 additions and 0 deletions   Show diff stats
test/unit/tiny_mce_article_test.rb
  Diff comments   View file @520af0a
@@ -118,6 +118,11 @@ class TinyMceArticleTest < Test::Unit::TestCase @@ -118,6 +118,11 @@ class TinyMceArticleTest < Test::Unit::TestCase
118 assert_no_match /script/, article.name 118 assert_no_match /script/, article.name
119 end 119 end
120 120
  121 + should 'not allow XSS on abstract' do
  122 + article = TinyMceArticle.create!(:name => "test 123", :abstract => 'abstract with <script>alert("xss")</script>', :profile => profile)
  123 + assert_no_match /script/, article.abstract
  124 + end
  125 +
121 should 'notifiable be true' do 126 should 'notifiable be true' do
122 a = fast_create(TinyMceArticle) 127 a = fast_create(TinyMceArticle)
123 assert a.notifiable? 128 assert a.notifiable?