Add a bunch of fixes to HTML escaping, and a test case for it

[selectricity] / test / functional / quickvote_controller_test.rb

diff --git a/test/functional/quickvote_controller_test.rb b/test/functional/quickvote_controller_test.rb
index 076a1047c0780dfe1c10a97f8b6a7475ae3ff6c1..02c133e1508c40c28d7fdd1443f1a916d9ccfa80 100644 (file)
--- a/test/functional/quickvote_controller_test.rb
+++ b/test/functional/quickvote_controller_test.rb
@@ -115,4 +115,24 @@ class QuickvoteControllerTest < Test::Unit::TestCase
     post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
     assert_redirected_to :controller => 'quickvote', :ident => 'variable'
   end
+  def test_display_tainted_quickvote
+    test_create_quickvote
+    qv=QuickVote.ident_to_quickvote('variable')
+    qv.description="<object>foo</object>"
+    qv.candidatelist = ["<object>foo", "bar<object>", "<foobar>"]
+    qv.save!
+    get :index, { 'ident' => 'variable' }
+    assert_response :success
+    assert_no_tag :tag => "object"
+    assert_no_tag :tag => "foobar"
+    votes = QuickVote.ident_to_quickvote('variable').candidates.collect { |c| c.id}
+    post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
+    assert_template('quickvote/thanks')
+    assert_no_tag :tag => "object"
+    assert_no_tag :tag => "foobar"
+    get :results, { 'ident' => 'variable' }
+    assert_response :success
+    assert_no_tag :tag => "object"
+    assert_no_tag :tag => "foobar"
+  end
 end