diff options
| -rw-r--r-- | actionview/test/template/sanitizers_test.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb index 0e1c22a02a..4dab987cea 100644 --- a/actionview/test/template/sanitizers_test.rb +++ b/actionview/test/template/sanitizers_test.rb @@ -122,6 +122,11 @@ class SanitizerTest < ActionController::TestCase assert_sanitized %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href=\"foo\">baz</a>) end + def test_video_poster_sanitization + assert_sanitized %(<video src="videofile.ogg" autoplay poster="posterimage.jpg"></video>), %(<video src="videofile.ogg" poster="posterimage.jpg"></video>) + assert_sanitized %(<video src="videofile.ogg" poster=javascript:alert(1)></video>), %(<video src="videofile.ogg"></video>) + end + # RFC 3986, sec 4.2 def test_allow_colons_in_path_component assert_sanitized("<a href=\"./this:that\">foo</a>") |