html_sanitization_spec.rb
上传用户:netsea168
上传日期:2022-07-22
资源大小:4652k
文件大小:3k
源码类别:

Ajax

开发平台:

Others

  1. require File.dirname(__FILE__) + '/../../spec_helper'
  2. describe "CommentSanitization", :shared => true do
  3.   before do
  4.     @article = mock_model(Article, :created_at => Time.now, :published_at => Time.now)
  5.     Article.stub!(:find).and_return(@article)
  6.     @blog = mock_model(Blog, :use_gravatar => false)
  7.     @blog.stub!(:lang).and_return('en_US')
  8.     @controller.template.stub!(:this_blog).and_return(@blog)
  9.     prepare_comment
  10.     @comment.stub!(:id).and_return(1)
  11.     assigns[:comment] = @comment
  12.   end
  13.   def prepare_comment
  14.     Comment.with_options(:body => 'test foo <script>do_evil();</script>',
  15.                          :author => 'Bob', :article => @article,
  16.                          :created_at => Time.now) do |klass|
  17.       @comment = klass.new(comment_options)
  18.     end
  19.   end
  20.   ['', 'markdown', 'textile', 'smartypants', 'markdown smartypants'].each do |value|
  21.     it "Should sanitize content rendered with the #{value} textfilter" do
  22.       @blog.stub!(:comment_text_filter).and_return(value)
  23.       render 'comments/show'
  24.       response.should have_tag('.content')
  25.       response.should have_tag('.author')
  26.       response.should_not have_tag('.content script')
  27.       response.should_not have_tag(".content a:not([rel=nofollow])")
  28.       # No links with javascript
  29.       response.should_not have_tag(".content a[onclick]")
  30.       response.should_not have_tag(".content a[href^=javascript:]")
  31.       response.should_not have_tag('.author script')
  32.       response.should_not have_tag(".author a:not([rel=nofollow])")
  33.       # No links with javascript
  34.       response.should_not have_tag(".author a[onclick]")
  35.       response.should_not have_tag(".author a[href^=javascript:]")
  36.     end
  37.   end
  38. end
  39. describe "First dodgy comment" do
  40.   it_should_behave_like "CommentSanitization"
  41.   def comment_options
  42.     { :body => 'test foo <script>do_evil();</script>' }
  43.   end
  44. end
  45. describe "Second dodgy comment" do
  46.   it_should_behave_like "CommentSanitization"
  47.   def comment_options
  48.     { :body => 'link to [spammy goodness](http://spammer.example.com)'}
  49.   end
  50. end
  51. describe "Dodgy comment #3" do
  52.   it_should_behave_like "CommentSanitization"
  53.   def comment_options
  54.     { :body => 'link to <a href="spammer.com">spammy goodness</a>'}
  55.   end
  56. end
  57. describe "Extra Dodgy comment" do
  58.   it_should_behave_like "CommentSanitization"
  59.   def comment_options
  60.     { :body => '<a href="http://spam.org">spam</a>',
  61.       :author => '<a href="http://spamme.com>spamme</a>',
  62.       :email => '<a href="http://itsallspam.com/">its all spam</a>' }
  63.   end
  64. end
  65. describe "XSS1" do
  66.   it_should_behave_like "CommentSanitization"
  67.   def comment_options
  68.     { :body => %{Have you ever <script lang="javascript">alert("foo");</script> been hacked?} }
  69.   end
  70. end
  71. describe "XSS2" do
  72.   it_should_behave_like "CommentSanitization"
  73.   def comment_options
  74.     { :body => %{<a href="#" onclick="javascript">bad link</a>}}
  75.   end
  76. end
  77. describe "XSS2" do
  78.   it_should_behave_like "CommentSanitization"
  79.   def comment_options
  80.     { :body => %{<a href="javascript:bad">bad link</a>}}
  81.   end
  82. end
  83. describe "Comment with bare http URL" do
  84.   it_should_behave_like "CommentSanitization"
  85.   def comment_options
  86.     { :body => %{http://www.example.com} }
  87.   end
  88. end
  89. describe "Comment with bare email address" do
  90.   it_should_behave_like "CommentSanitization"
  91.   def comment_options
  92.     { :body => %{foo@example.com} }
  93.   end
  94. end