Add test for CVE-2012-3464 (single quotes)

test/apps/rails_with_xss_plugin/config/initializers/single_quote_workaround.rb

+class ERB
+  module Util
+
+    if "html_safe exists".respond_to?(:html_safe)
+      def html_escape(s)
+        s = s.to_s
+        if s.html_safe?
+          s
+        else
+          Rack::Utils.escape_html(s).html_safe
+        end
+      end
+    else
+      def html_escape(s)
+        s = s.to_s
+        Rack::Utils.escape_html(s).html_safe
+      end
+    end
+
+    remove_method :h
+    alias h html_escape
+
+    class << self
+      remove_method :html_escape
+      remove_method :h
+    end
+
+    module_function :html_escape
+    module_function :h
+  end
+end

test/tests/test_rails2.rb

@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
         :controller => 1,
         :model => 2,
         :template => 31,
-        :warning => 29 }
+        :warning => 30 }
     else
       @expected ||= {
         :controller => 1,
         :model => 2,
         :template => 31,
-        :warning => 30 }
+        :warning => 31 }
     end
   end
 
@@ -633,6 +633,14 @@ class Rails2Tests < Test::Unit::TestCase
       :file => /test_xss_with_or\.html\.erb/
   end
 
+  def test_cross_site_scripting_single_quotes_CVE_2012_3464
+    assert_warning :type => :warning,
+      :warning_type => "Cross Site Scripting",
+      :message => /^All\ Rails\ 2\.x\ versions\ do\ not\ escape\ sin/,
+      :confidence => 1,
+      :file => /environment\.rb/
+  end
+
   def test_check_send
     assert_warning :type => :warning,
       :warning_type => "Dangerous Send",

test/tests/test_rails3.rb

@@ -15,7 +15,7 @@ class Rails3Tests < Test::Unit::TestCase
       :controller => 1,
       :model => 5,
       :template => 22,
-      :warning => 27
+      :warning => 28
     }
   end
 
@@ -595,6 +595,14 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /test_params\.html\.erb/
   end
 
+  def test_cross_site_scripting_single_quotes_CVE_2012_3464
+    assert_warning :type => :warning,
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 3\.0\.5\ does\ not\ escape\ single\ quote/,
+      :confidence => 1,
+      :file => /Gemfile/
+  end
+
   def test_CVE_2012_3424
     assert_warning :type => :warning,
       :warning_type => "Denial of Service",

test/tests/test_rails31.rb

@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 0,
       :template => 11,
       :controller => 1,
-      :warning => 46 }
+      :warning => 47 }
   end
 
   def test_without_protection
@@ -527,6 +527,14 @@ class Rails31Tests < Test::Unit::TestCase
       :file => /\/g\.html\.erb/
   end
 
+  def test_cross_site_scripting_single_quotes_CVE_2012_3464
+    assert_warning :type => :warning,
+      :warning_type => "Cross Site Scripting",
+      :message => /^Rails\ 3\.1\.0\ does\ not\ escape\ single\ quote/,
+      :confidence => 1,
+      :file => /Gemfile/
+  end
+
   def test_file_access_indirect_user_input
     assert_warning :type => :warning,
       :warning_type => "File Access",

test/tests/test_rails_with_xss_plugin.rb

@@ -173,6 +173,13 @@ class RailsWithXssPluginTests < Test::Unit::TestCase
       :file => /show\.html\.erb/
   end
 
+  def test_cross_site_scripting_single_quotes_CVE_2012_3464
+    assert_no_warning :type => :warning,
+      :warning_type => "Cross Site Scripting",
+      :message => /^All\ Rails\ 2\.x\ versions\ do\ not\ escape\ sin/,
+      :confidence => 1,
+      :file => /environment\.rb/
+  end
 
   def test_dynamic_render_path_15 
     assert_no_warning :type => :template,