post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
assert_redirected_to :controller => 'quickvote', :ident => 'variable'
end
+
def test_display_tainted_quickvote
+ # create quickvote with tainted data
test_create_quickvote
qv=QuickVote.ident_to_quickvote('variable')
qv.description="<object>foo</object>"
- qv.candidate_names = ["<object>foo", "bar<object>", "<foobar>"]
+ qv.candidate_names = ["<object>foo", "bar<object>", "<foobar>",
+ '<img src="foo" alt="bar" />']
qv.save!
+
+ # display the vote/index page and check for bad tags and the ability
+ # to make an image tag
get :index, { 'ident' => 'variable' }
assert_response :success
assert_no_tag :tag => "object"
assert_no_tag :tag => "foobar"
+ assert_tag :tag => "img",
+ :parent => { :tag => "li", :attributes => { :class => "moveable" } }
+
+ # actually vote
votes = QuickVote.ident_to_quickvote('variable').candidates.collect { |c| c.id}
post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
+
+ # check for bad/good tags
assert_template('quickvote/thanks')
assert_no_tag :tag => "object"
assert_no_tag :tag => "foobar"
+ assert_tag :tag => "img", :parent => { :tag => "li" }
+
+ # get the results page and check for good/bad tags
get :results, { 'ident' => 'variable' }
assert_response :success
assert_no_tag :tag => "object"
assert_no_tag :tag => "foobar"
+ assert_tag :tag => "img", :parent => { :tag => "li" }
end
end
projects / selectricity-live / blobdiff