diff options
author | David Heinemeier Hansson <david@loudthinking.com> | 2005-05-09 11:24:18 +0000 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2005-05-09 11:24:18 +0000 |
commit | 45780be2a7d6ddb5851e04279728c817c941c31c (patch) | |
tree | 142055ea22c6e5caca67108b59b4087f3053e3ff /actionpack/test/template | |
parent | b167248b21a8da63be871ec6815d117a8efa25f3 (diff) | |
download | rails-45780be2a7d6ddb5851e04279728c817c941c31c.tar.gz rails-45780be2a7d6ddb5851e04279728c817c941c31c.tar.bz2 rails-45780be2a7d6ddb5851e04279728c817c941c31c.zip |
Added TextHelper#sanitize that can will remove any Javascript handlers, blocks, and forms from an input of HTML. This allows for use of HTML on public sites, but still be free of XSS issues. #1277 [Jamis Buck]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@1298 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/template')
-rw-r--r-- | actionpack/test/template/text_helper_test.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index ed2f08e755..926ebdaf47 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -86,5 +86,29 @@ class TextHelperTest < Test::Unit::TestCase assert_equal %(<p>Link #{link2_result}</p>), auto_link("<p>Link #{link2_raw}</p>") assert_equal %(<p>#{link2_result} Link</p>), auto_link("<p>#{link2_raw} Link</p>") end + + def test_sanitize_form + raw = "<form action=\"/foo/bar\" method=\"post\"><input></form>" + result = sanitize(raw) + assert_equal "<form action='/foo/bar' method='post'><input></form>", result + end + + def test_sanitize_script + raw = "<script language=\"Javascript\">blah blah blah</script>" + result = sanitize(raw) + assert_equal "<script language='Javascript'>blah blah blah</script>", result + end + + def test_sanitize_js_handlers + raw = %{onthis="do that" <a href="#" onclick="hello" name="foo" onbogus="remove me">hello</a>} + result = sanitize(raw) + assert_equal %{onthis="do that" <a name='foo' href='#'>hello</a>}, result + end + + def test_sanitize_javascript_href + raw = %{href="javascript:bang" <a href="javascript:bang" name="hello">foo</a>, <span href="javascript:bang">bar</span>} + result = sanitize(raw) + assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result + end end |