Add test for `request.parameters`

63876137 · Justin Collins · e80fbbe1 · 63876137 · 63876137
隐藏空白更改
内联并排

Showing with 13 addition and 2 deletion

test/apps/rails3/app/views/home/test_params.html.erb test/apps/rails3/app/views/home/test_params.html.erb +3 -1

test/tests/test_rails3.rb test/tests/test_rails3.rb +10 -1

未找到文件。
--- a/test/apps/rails3/app/views/home/test_params.html.erb
+++ b/test/apps/rails3/app/views/home/test_params.html.erb
@@ -15,4 +15,6 @@ Dangerous href: <%= link_to "more text", params[:dangerous] %>

 Still dangerous hrefs: <%= link_to "donkey", not_safe(params[:bad_robot]) %>

-Not completely safe: <%= link_to "Helvetica hoodie bushwick", h(params[:js_xss]) %>
\ No newline at end of file
+Not completely safe: <%= link_to "Helvetica hoodie bushwick", h(params[:js_xss]) %>
+
+Request parameters: <%= raw request.parameters %>
--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
    @expected ||= {
      :controller => 1,
      :model => 5,
-      :template => 21,
+      :template => 22,
      :warning => 24
    }
  end
@@ -548,4 +548,13 @@ class Rails3Tests < Test::Unit::TestCase
      :confidence => 0,
      :file => /_form\.html\.erb/
  end
+
+  def test_cross_site_scripting_request_parameters
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 20,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /test_params\.html\.erb/
+  end
 end