X-Git-Url: https://projects.mako.cc/source/selectricity-live/blobdiff_plain/94f498a0718776efa90193c918c6dd22f51329ac..50d95cd1569a8452323d565cf2f34fc63672cff7:/test/functional/quickvote_controller_test.rb?ds=inline diff --git a/test/functional/quickvote_controller_test.rb b/test/functional/quickvote_controller_test.rb index fbeb4a5..e116c0d 100644 --- a/test/functional/quickvote_controller_test.rb +++ b/test/functional/quickvote_controller_test.rb @@ -60,7 +60,7 @@ class QuickvoteControllerTest < Test::Unit::TestCase def test_get_quickvote_nonexistent get :index, { 'ident' => "idontexist" } - assert_redirected_to :controller => 'site' + assert_redirected_to :controller => 'front' end def test_get_result_empty_vote @@ -72,7 +72,7 @@ class QuickvoteControllerTest < Test::Unit::TestCase def test_get_result_nonexistent test_create_quickvote get :results, { 'ident' => 'asdflaksdjf' } - assert_redirected_to :controller => 'site' + assert_redirected_to :controller => 'front' end def test_get_result_with_a_vote @@ -115,24 +115,40 @@ class QuickvoteControllerTest < Test::Unit::TestCase post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} } assert_redirected_to :controller => 'quickvote', :ident => 'variable' end + def test_display_tainted_quickvote + # create quickvote with tainted data test_create_quickvote qv=QuickVote.ident_to_quickvote('variable') qv.description="foo" - qv.candidate_names = ["foo", "bar", ""] + qv.candidate_names = ["foo", "bar", "", + 'bar'] qv.save! + + # display the vote/index page and check for bad tags and the ability + # to make an image tag get :index, { 'ident' => 'variable' } assert_response :success assert_no_tag :tag => "object" assert_no_tag :tag => "foobar" + assert_tag :tag => "img", + :parent => { :tag => "li", :attributes => { :class => "moveable" } } + + # actually vote votes = QuickVote.ident_to_quickvote('variable').candidates.collect { |c| c.id} post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} } + + # check for bad/good tags assert_template('quickvote/thanks') assert_no_tag :tag => "object" assert_no_tag :tag => "foobar" + assert_tag :tag => "img", :parent => { :tag => "li" } + + # get the results page and check for good/bad tags get :results, { 'ident' => 'variable' } assert_response :success assert_no_tag :tag => "object" assert_no_tag :tag => "foobar" + assert_tag :tag => "img", :parent => { :tag => "li" } end end