Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add test for param sanitized in controller

  • Loading branch information...
commit 90f5e656baa4713e05c7820bd2f16b4bf8b3e870 1 parent 142d624
@presidentbeef presidentbeef authored Dave Worth committed
View
4 test/apps/rails2/app/controllers/home_controller.rb
@@ -108,6 +108,10 @@ def test_send_second_param
@result = target.send(:method, *args)
end
+ def test_sanitized_param
+ params["something"] = h(params["something"])
+ end
+
private
def filter_it
View
5 test/apps/rails2/app/views/home/test_sanitized_param.html.erb
@@ -0,0 +1,5 @@
+<%= params["something"] %>
+
+<% x = params["something"] %>
+
+<%= x %>
View
22 test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ def expected
@expected ||= {
:controller => 1,
:model => 2,
- :template => 25,
+ :template => 26,
:warning => 25 }
else
@expected ||= {
:controller => 1,
:model => 2,
- :template => 25,
+ :template => 26,
:warning => 26 }
end
end
@@ -271,6 +271,24 @@ def test_params_from_controller
:file => /test_params\.html\.erb/
end
+ def test_sanitized_params_from_controller
+ assert_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 1,
+ :message => /^Unescaped parameter value/,
+ :confidence => 0,
+ :file => /test_sanitized_param\.html\.erb/
+ end
+
+ def test_sanitized_params_from_controller
+ assert_no_warning :type => :template,
+ :warning_type => "Cross Site Scripting",
+ :line => 5,
+ :message => /^Unescaped parameter value/,
+ :confidence => 0,
+ :file => /test_sanitized_param\.html\.erb/
+ end
+
def test_indirect_xss
assert_warning :type => :template,
:warning_type => "Cross Site Scripting",
Please sign in to comment.
Something went wrong with that request. Please try again.