diff options
| author | Michael Koziarski <michael@koziarski.com> | 2007-12-02 08:45:35 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2007-12-02 08:45:35 +0000 |
| commit | 92f02adf407d6884ffea789b39f78f44b7fd3722 (patch) | |
| tree | 3d363b6feb853f93c54f6faf40f294738c4de4ce /actionpack/test/template/javascript_helper_test.rb | |
| parent | e7c5da6260918d770f9d7abd311337ff1cb09d60 (diff) | |
| download | rails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.gz rails-92f02adf407d6884ffea789b39f78f44b7fd3722.tar.bz2 rails-92f02adf407d6884ffea789b39f78f44b7fd3722.zip | |
Don't escape forward slashes with String#to_json, our unicode encoding of < and > prevent the XSS problems. [tpope] Closes #10273
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8255 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/template/javascript_helper_test.rb')
| -rw-r--r-- | actionpack/test/template/javascript_helper_test.rb | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/actionpack/test/template/javascript_helper_test.rb b/actionpack/test/template/javascript_helper_test.rb index 1fabe80ba7..0d44e96f84 100644 --- a/actionpack/test/template/javascript_helper_test.rb +++ b/actionpack/test/template/javascript_helper_test.rb @@ -38,14 +38,14 @@ class JavaScriptHelperTest < Test::Unit::TestCase html = link_to_function( "Greet me!" ) do |page| page.replace_html 'header', "<h1>Greetings</h1>" end - assert_dom_equal %(<a href="#" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E");; return false;">Greet me!</a>), html + assert_dom_equal %(<a href="#" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E");; return false;">Greet me!</a>), html end def test_link_to_function_with_rjs_block_and_options html = link_to_function( "Greet me!", :class => "updater" ) do |page| page.replace_html 'header', "<h1>Greetings</h1>" end - assert_dom_equal %(<a href="#" class="updater" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E");; return false;">Greet me!</a>), html + assert_dom_equal %(<a href="#" class="updater" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E");; return false;">Greet me!</a>), html end def test_link_to_function_with_href @@ -67,14 +67,14 @@ class JavaScriptHelperTest < Test::Unit::TestCase html = button_to_function( "Greet me!" ) do |page| page.replace_html 'header', "<h1>Greetings</h1>" end - assert_dom_equal %(<input type="button" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E");;" value="Greet me!" />), html + assert_dom_equal %(<input type="button" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C/h1\\u003E");;" value="Greet me!" />), html end def test_button_to_function_with_rjs_block_and_options html = button_to_function( "Greet me!", :class => "greeter" ) do |page| page.replace_html 'header', "<h1>Greetings</h1>" end - assert_dom_equal %(<input type="button" class="greeter" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C\\/h1\\u003E");;" value="Greet me!" />), html + assert_dom_equal %(<input type="button" class="greeter" onclick="Element.update("header", "\\u003Ch1\\u003EGreetings\\u003C\/h1\\u003E");;" value="Greet me!" />), html end def test_button_to_function_with_onclick |