diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2010-08-14 02:13:00 -0300 |
|---|---|---|
| committer | Xavier Noria <fxn@hashref.com> | 2010-08-14 13:17:32 +0200 |
| commit | b95d6e84b00bd926b1118f6a820eca7a870b8c35 (patch) | |
| tree | 0753080f3b0dabbe0b2f62abe044c24d6b4ed5c4 /actionpack/test/template/html-scanner/sanitizer_test.rb | |
| parent | 36a84a4f15f29b41c7cac2f8de410055006a8a8d (diff) | |
| download | rails-b95d6e84b00bd926b1118f6a820eca7a870b8c35.tar.gz rails-b95d6e84b00bd926b1118f6a820eca7a870b8c35.tar.bz2 rails-b95d6e84b00bd926b1118f6a820eca7a870b8c35.zip | |
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;)
Diffstat (limited to 'actionpack/test/template/html-scanner/sanitizer_test.rb')
| -rw-r--r-- | actionpack/test/template/html-scanner/sanitizer_test.rb | 34 |
1 files changed, 17 insertions, 17 deletions
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index c9edde8892..3e80317b30 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -24,11 +24,11 @@ class SanitizerTest < ActionController::TestCase def test_strip_links sanitizer = HTML::LinkSanitizer.new - assert_equal "Dont touch me", sanitizer.sanitize("Dont touch me") + assert_equal "Dont touch me", sanitizer.sanitize("Dont touch me") assert_equal "on my mind\nall day long", sanitizer.sanitize("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>") - assert_equal "0wn3d", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'><a href='http://www.rubyonrails.com/' onlclick='steal()'>0wn3d</a></a>") - assert_equal "Magic", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic") - assert_equal "FrrFox", sanitizer.sanitize("<href onlclick='steal()'>FrrFox</a></href>") + assert_equal "0wn3d", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'><a href='http://www.rubyonrails.com/' onlclick='steal()'>0wn3d</a></a>") + assert_equal "Magic", sanitizer.sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic") + assert_equal "FrrFox", sanitizer.sanitize("<href onlclick='steal()'>FrrFox</a></href>") assert_equal "My mind\nall <b>day</b> long", sanitizer.sanitize("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>") assert_equal "all <b>day</b> long", sanitizer.sanitize("<<a>a href='hello'>all <b>day</b> long<</A>/a>") @@ -58,7 +58,7 @@ class SanitizerTest < ActionController::TestCase raw = %{href="javascript:bang" <a href="javascript:bang" name="hello">foo</a>, <span href="javascript:bang">bar</span>} assert_sanitized raw, %{href="javascript:bang" <a name="hello">foo</a>, <span>bar</span>} end - + def test_sanitize_image_src raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>} assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>} @@ -147,9 +147,9 @@ class SanitizerTest < ActionController::TestCase assert_sanitized %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), "" end - [%(<IMG SRC="javascript:alert('XSS');">), - %(<IMG SRC=javascript:alert('XSS')>), - %(<IMG SRC=JaVaScRiPt:alert('XSS')>), + [%(<IMG SRC="javascript:alert('XSS');">), + %(<IMG SRC=javascript:alert('XSS')>), + %(<IMG SRC=JaVaScRiPt:alert('XSS')>), %(<IMG """><SCRIPT>alert("XSS")</SCRIPT>">), %(<IMG SRC=javascript:alert("XSS")>), %(<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>), @@ -166,28 +166,28 @@ class SanitizerTest < ActionController::TestCase assert_sanitized img_hack, "<img>" end end - + def test_should_sanitize_tag_broken_up_by_null assert_sanitized %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), "alert(\"XSS\")" end - + def test_should_sanitize_invalid_script_tag assert_sanitized %(<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>), "" end - + def test_should_sanitize_script_tag_with_multiple_open_brackets assert_sanitized %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "<" assert_sanitized %(<iframe src=http://ha.ckers.org/scriptlet.html\n<a), %(<a) end - + def test_should_sanitize_unclosed_script assert_sanitized %(<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>), "<b>" end - + def test_should_sanitize_half_open_scripts assert_sanitized %(<IMG SRC="javascript:alert('XSS')"), "<img>" end - + def test_should_not_fall_for_ridiculous_hack img_hack = %(<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>) assert_sanitized img_hack, "<img>" @@ -214,15 +214,15 @@ class SanitizerTest < ActionController::TestCase raw = %(-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')) assert_equal '', sanitize_css(raw) end - + def test_should_sanitize_invalid_tag_names assert_sanitized(%(a b c<script/XSS src="http://ha.ckers.org/xss.js"></script>d e f), "a b cd e f") end - + def test_should_sanitize_non_alpha_and_non_digit_characters_in_tags assert_sanitized('<a onclick!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>foo</a>', "<a>foo</a>") end - + def test_should_sanitize_invalid_tag_names_in_single_tags assert_sanitized('<img/src="http://ha.ckers.org/xss.js"/>', "<img />") end |