add unit test of escaping image urls (#9245)

Contributed by Holger Just. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7707 e93f8b46-1217-0410-a6f0-8f06a7374b81
2011-11-02 07:35:51 +00:00 · 2011-11-02 07:35:51 +00:00 · e300188982
parent 23fe2be246
commit e300188982
1 changed files with 7 additions and 0 deletions
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@ -197,6 +197,13 @@ EXPECTED
    assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
  end

+  def test_textile_should_escape_image_urls
+    # this is onclick="alert('XSS');" in encoded form
+    raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
+    expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
+    assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+  end
+
  private

  def assert_html_output(to_test, expect_paragraph = true)