Sanitize the contents of HTML attachments before display

author: Louise Crow <louise.crow@gmail.com> 2014-12-22 10:55:30 +0000
committer: Louise Crow <louise.crow@gmail.com> 2014-12-22 11:04:00 +0000
commit: b2a1d7c2ea65c69bb01191ab1df09df004e67348 (patch)
tree: 52746697a9296a7788ded7bf35928e8f03990b7b /spec/controllers/request_controller_spec.rb
parent: 052c242d74b1aff44b5d08ed664201f17792e5a4 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index 6c0f4573e..26e46a966 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -596,6 +596,18 @@ describe RequestController, "when showing one request" do
             response.status.should == 303
         end
 
+        it "should sanitise HTML attachments" do
+            incoming_message = FactoryGirl.create(:incoming_message_with_html_attachment)
+            get :get_attachment, :incoming_message_id => incoming_message.id,
+                                 :id => incoming_message.info_request.id,
+                                 :part => 2,
+                                 :file_name => 'interesting.html',
+                                 :skip_cache => 1
+            response.body.should_not match("script")
+            response.body.should_not match("interesting")
+            response.body.should match('dull')
+        end
+
         it "should censor attachments downloaded as binary" do
             ir = info_requests(:fancy_dog_request)
author	Louise Crow <louise.crow@gmail.com>	2014-12-22 10:55:30 +0000
committer	Louise Crow <louise.crow@gmail.com>	2014-12-22 11:04:00 +0000
commit	b2a1d7c2ea65c69bb01191ab1df09df004e67348 (patch)
tree	52746697a9296a7788ded7bf35928e8f03990b7b /spec/controllers/request_controller_spec.rb
parent	052c242d74b1aff44b5d08ed664201f17792e5a4 (diff)