add unit test of escaping image urls (#9245)
Contributed by Holger Just. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7707 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
23fe2be246
commit
e300188982
|
@ -197,6 +197,13 @@ EXPECTED
|
||||||
assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
|
assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_textile_should_escape_image_urls
|
||||||
|
# this is onclick="alert('XSS');" in encoded form
|
||||||
|
raw = '!/images/comment.png"onclick=alert('XSS');"!'
|
||||||
|
expected = '<p><img src="/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;" alt="" /></p>'
|
||||||
|
assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def assert_html_output(to_test, expect_paragraph = true)
|
def assert_html_output(to_test, expect_paragraph = true)
|
||||||
|
|
Loading…
Reference in New Issue