Add test for model name when rendering collection

instead of "UnknownModel"

Add test for model name when rendering collection
instead of "UnknownModel"
da420b6e · Justin Collins · 94fd4fb6 · da420b6e · da420b6e · da420b6e
5 changed file
--- a/test/apps/rails3.1/app/views/users/_bio.html.erb
+++ b/test/apps/rails3.1/app/views/users/_bio.html.erb
+<%= user_bio %>
--- a/test/apps/rails3.1/app/views/users/_user.html.erb
+++ b/test/apps/rails3.1/app/views/users/_user.html.erb
+<tr>
+  <td><%= user.name %></td>
+  <td><%= render 'bio', :locals => { :user_bio => raw(user.bio) } %>
+  <td><%= user.password %></td>
+  <td><%= user.email %></td>
+  <td><%= user.role %></td>
+  <td><%= link_to 'Show', user %></td>
+  <td><%= link_to 'Edit', edit_user_path(user) %></td>
+  <td><%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %></td>
+</tr>
--- a/test/apps/rails3.1/app/views/users/index.html.erb
+++ b/test/apps/rails3.1/app/views/users/index.html.erb
@@ -12,18 +12,7 @@
    <th></th>
  </tr>

-<% @users.each do |user| %>
-  <tr>
-    <td><%= user.name %></td>
-    <td><%= user.bio %></td>
-    <td><%= user.password %></td>
-    <td><%= user.email %></td>
-    <td><%= user.role %></td>
-    <td><%= link_to 'Show', user %></td>
-    <td><%= link_to 'Edit', edit_user_path(user) %></td>
-    <td><%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %></td>
-  </tr>
-<% end %>
+  <%= render 'user', :collection => @users %>
 </table>

 <br />

--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -335,7 +335,7 @@ class Rails3Tests < Test::Unit::TestCase
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
      :line => 1,
-      :message => /^Unescaped model attribute near line 1: \(/,
+      :message => /^Unescaped model attribute near line 1: User.new.first_name/,
      :confidence => 0,
      :file => /_user\.html\.erb/
  end

--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase
  def expected
    @expected ||= {
      :model => 0,
-      :template => 16,
+      :template => 17,
      :controller => 1,
      :warning => 48 }
  end
@@ -527,6 +527,15 @@ class Rails31Tests < Test::Unit::TestCase
      :file => /\/g\.html\.erb/
  end

+  def test_model_name_in_collection_xss
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped model attribute near line 1: User\.new\.bio/,
+      :confidence => 0,
+      :file => /_bio\.html\.erb/
+  end
+
  def test_xss_multiple_exp_in_string_interpolation
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",