Add tests for CVE-2012-3463 (select_tag)

test/apps/rails3.1/app/views/other/test_select_tag.html.erb

+<%= select_tag "name", options, :prompt => something_benign %>
+
+<%= select_tag "name", options, :prompt => "Select #{params[:name]}" %>

test/apps/rails3/app/views/other/test_select_tag.html.erb

+<%= select_tag "name", options, :prompt => something_benign %>
+
+<%= select_tag "name", options, :prompt => "Select #{params[:name]}" %>

test/tests/test_rails3.rb

@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
     @expected ||= {
       :controller => 1,
       :model => 5,
-      :template => 22,
+      :template => 23,
       :warning => 27
     }
   end
@@ -595,6 +595,15 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /test_params\.html\.erb/
   end
 
+  def test_cross_site_scripting_select_tag_CVE_2012_3463
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Upgrade\ to\ Rails\ 3\.0\.17,\ 3\.0\.5\ select_ta/,
+      :confidence => 0,
+      :file => /test_select_tag\.html\.erb/
+  end
+
   def test_CVE_2012_3424
     assert_warning :type => :warning,
       :warning_type => "Denial of Service",

test/tests/test_rails31.rb

@@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase
   def expected
     @expected ||= {
       :model => 0,
-      :template => 11,
+      :template => 12,
       :controller => 1,
       :warning => 46 }
   end
@@ -527,6 +527,15 @@ class Rails31Tests < Test::Unit::TestCase
       :file => /\/g\.html\.erb/
   end
 
+  def test_cross_site_scripting_select_tag_CVE_2012_3463
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Upgrade\ to\ Rails\ 3\.1\.8,\ 3\.1\.0\ select_tag/,
+      :confidence => 0,
+      :file => /test_select_tag\.html\.erb/
+  end
+
   def test_file_access_indirect_user_input
     assert_warning :type => :warning,
       :warning_type => "File Access",