Update sanitize text helper to strip plaintext tags, and <img src=javascript:bang>. [Rick Olson]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4911 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 12 insertions, 0 deletions

diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
index babb68ccfa..7cc92e0bd6 100644
--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -195,6 +195,12 @@ class TextHelperTest < Test::Unit::TestCase
     assert_equal "&lt;form action='/foo/bar' method='post'><input>&lt;/form>", result
   end
 
+  def test_sanitize_plaintext
+    raw = "<plaintext><span>foo</span></plaintext>"
+    result = sanitize(raw)
+    assert_equal "&lt;plaintext><span>foo</span>&lt;/plaintext>", result
+  end
+
   def test_sanitize_script
     raw = "<script language=\"Javascript\">blah blah blah</script>"
     result = sanitize(raw)
@@ -213,6 +219,12 @@ class TextHelperTest < Test::Unit::TestCase
     assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result
   end
   
+  def test_sanitize_image_src
+    raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
+    result = sanitize(raw)
+    assert_equal %{src="javascript:bang" <img width='5'>foo</img>, <span>bar</span>}, result
+  end
+  
   def test_cycle_class
     value = Cycle.new("one", 2, "3")
     assert_equal("one", value.to_s)