diff options
| author | Piotr Sarnacki <drogus@gmail.com> | 2012-03-27 02:07:09 +0200 |
|---|---|---|
| committer | Piotr Sarnacki <drogus@gmail.com> | 2012-03-27 02:26:17 +0200 |
| commit | 37c84ed877188151c14af2b1401e4f2bd860bdd7 (patch) | |
| tree | bb552a00ca8165d550542c3135885ec9512db9fa /actionpack/test/template | |
| parent | 494610792530bc21f5c284a4eb66278b07953a5b (diff) | |
| download | rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.gz rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.bz2 rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.zip | |
Don't ignore non Enumerable values passed to sanitize (closes #5585)
When someone accidentally passes a string to sanitize like:
sanitize("<span>foo</span>", :tags => "b")
there is no indication that it's the wrong way and span
will not be removed.
Diffstat (limited to 'actionpack/test/template')
| -rw-r--r-- | actionpack/test/template/html-scanner/sanitizer_test.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 32c655c5fd..324caef224 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -125,6 +125,24 @@ class SanitizerTest < ActionController::TestCase assert_equal(text, sanitizer.sanitize(text, :attributes => ['foo'])) end + def test_should_raise_argument_error_if_tags_is_not_enumerable + sanitizer = HTML::WhiteListSanitizer.new + e = assert_raise(ArgumentError) do + sanitizer.sanitize('', :tags => 'foo') + end + + assert_equal "You should pass :tags as an Enumerable", e.message + end + + def test_should_raise_argument_error_if_attributes_is_not_enumerable + sanitizer = HTML::WhiteListSanitizer.new + e = assert_raise(ArgumentError) do + sanitizer.sanitize('', :attributes => 'foo') + end + + assert_equal "You should pass :attributes as an Enumerable", e.message + end + [%w(img src), %w(a href)].each do |(tag, attr)| define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>) |