diff options
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/general_controller_spec.rb | 12 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 12 | ||||
| -rw-r--r-- | spec/factories/foi_attchments.rb | 5 | ||||
| -rw-r--r-- | spec/factories/incoming_messages.rb | 8 | ||||
| -rw-r--r-- | spec/fixtures/files/blog_feed.atom | 2 | ||||
| -rw-r--r-- | spec/fixtures/files/interesting.html | 7 |
6 files changed, 45 insertions, 1 deletions
diff --git a/spec/controllers/general_controller_spec.rb b/spec/controllers/general_controller_spec.rb index 4a7a0bb48..28dac7b96 100644 --- a/spec/controllers/general_controller_spec.rb +++ b/spec/controllers/general_controller_spec.rb @@ -53,6 +53,18 @@ describe GeneralController, 'when getting the blog feed' do end end + context 'when the blog has entries' do + + render_views + + it 'should escape any javascript from the entries' do + controller.stub!(:quietly_try_to_open).and_return(load_file_fixture("blog_feed.atom")) + get :blog + response.body.should_not include('<script>alert("exciting!")</script>') + end + + end + end describe GeneralController, "when showing the frontpage" do diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 15e252501..2d3ccfa63 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -596,6 +596,18 @@ describe RequestController, "when showing one request" do response.status.should == 303 end + it "should sanitise HTML attachments" do + incoming_message = FactoryGirl.create(:incoming_message_with_html_attachment) + get :get_attachment, :incoming_message_id => incoming_message.id, + :id => incoming_message.info_request.id, + :part => 2, + :file_name => 'interesting.html', + :skip_cache => 1 + response.body.should_not match("script") + response.body.should_not match("interesting") + response.body.should match('dull') + end + it "should censor attachments downloaded as binary" do ir = info_requests(:fancy_dog_request) diff --git a/spec/factories/foi_attchments.rb b/spec/factories/foi_attchments.rb index 4e9875a00..a1d04ccf0 100644 --- a/spec/factories/foi_attchments.rb +++ b/spec/factories/foi_attchments.rb @@ -16,6 +16,11 @@ FactoryGirl.define do filename 'interesting.rtf' body { load_file_fixture('interesting.rtf') } end + factory :html_attachment do + content_type 'text/html' + filename 'interesting.html' + body { load_file_fixture('interesting.html') } + end end end diff --git a/spec/factories/incoming_messages.rb b/spec/factories/incoming_messages.rb index 16930b887..b29fe8ce9 100644 --- a/spec/factories/incoming_messages.rb +++ b/spec/factories/incoming_messages.rb @@ -26,6 +26,14 @@ FactoryGirl.define do end end + factory :incoming_message_with_html_attachment do + after_create do |incoming_message, evaluator| + FactoryGirl.create(:html_attachment, + :incoming_message => incoming_message, + :url_part_number => 2) + end + end + factory :incoming_message_with_attachments do # foi_attachments_count is declared as an ignored attribute and available in # attributes on the factory, as well as the callback via the evaluator diff --git a/spec/fixtures/files/blog_feed.atom b/spec/fixtures/files/blog_feed.atom index f49693938..a831243b4 100644 --- a/spec/fixtures/files/blog_feed.atom +++ b/spec/fixtures/files/blog_feed.atom @@ -29,7 +29,7 @@ <guid isPermaLink="false">http://www.example.com/?id=333</guid> <description><![CDATA[An example post [...]]]></description> <content:encoded><![CDATA[<h3>A blog post</h3> -<p>Example post</p> +<p>Example post</p><script>alert("exciting!")</script> ]]></content:encoded> <wfw:commentRss>http://www.example.com/feed/</wfw:commentRss> <slash:comments>2</slash:comments> diff --git a/spec/fixtures/files/interesting.html b/spec/fixtures/files/interesting.html new file mode 100644 index 000000000..4227eab45 --- /dev/null +++ b/spec/fixtures/files/interesting.html @@ -0,0 +1,7 @@ +<html> + <head> + </head> + <body>dull + <script>alert('interesting')</script> + </body> +</html> |