Add a test case where auto-escaping is turned on

2be9d050 · oreoshake · fcc40b1a · 2be9d050 · 2be9d050 · 2be9d050
3 changed file
--- a/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb
+++ b/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb
@@ -125,4 +125,8 @@ class UsersController < ApplicationController
  def results
    @users = User.all(:conditions => "display_name like '%#{params[:query]}%'")
  end
+
+  def to_json
+
+  end
 end
--- a/test/apps/rails_with_xss_plugin/app/views/users/to_json.html.erb
+++ b/test/apps/rails_with_xss_plugin/app/views/users/to_json.html.erb
+<%= raw({:asdf => params[:asdf]}.to_json) %>
\ No newline at end of file
--- a/test/tests/test_rails_with_xss_plugin.rb
+++ b/test/tests/test_rails_with_xss_plugin.rb
@@ -10,7 +10,7 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
    @expected ||= {
      :controller => 1,
      :model => 3,
-      :template => 1,
+      :template => 2,
      :warning => 14 }
  end

@@ -257,4 +257,13 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
      :confidence => 0,
      :file => /Gemfile/
  end
+
+  def test_to_json
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :file => /users\/to_json\.html\.erb/
+  end  
 end