From da420b6ee6324cbdadecaa8feeb6336ef32140b0 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Sat, 29 Sep 2012 21:45:09 -0700 Subject: [PATCH] Add test for model name when rendering collection instead of "UnknownModel" --- test/apps/rails3.1/app/views/users/_bio.html.erb | 1 + test/apps/rails3.1/app/views/users/_user.html.erb | 10 ++++++++++ test/apps/rails3.1/app/views/users/index.html.erb | 13 +------------ test/tests/test_rails3.rb | 2 +- test/tests/test_rails31.rb | 11 ++++++++++- 5 files changed, 23 insertions(+), 14 deletions(-) create mode 100644 test/apps/rails3.1/app/views/users/_bio.html.erb create mode 100644 test/apps/rails3.1/app/views/users/_user.html.erb diff --git a/test/apps/rails3.1/app/views/users/_bio.html.erb b/test/apps/rails3.1/app/views/users/_bio.html.erb new file mode 100644 index 00000000..7bbafc30 --- /dev/null +++ b/test/apps/rails3.1/app/views/users/_bio.html.erb @@ -0,0 +1 @@ +<%= user_bio %> diff --git a/test/apps/rails3.1/app/views/users/_user.html.erb b/test/apps/rails3.1/app/views/users/_user.html.erb new file mode 100644 index 00000000..605ce238 --- /dev/null +++ b/test/apps/rails3.1/app/views/users/_user.html.erb @@ -0,0 +1,10 @@ + + <%= user.name %> + <%= render 'bio', :locals => { :user_bio => raw(user.bio) } %> + <%= user.password %> + <%= user.email %> + <%= user.role %> + <%= link_to 'Show', user %> + <%= link_to 'Edit', edit_user_path(user) %> + <%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %> + diff --git a/test/apps/rails3.1/app/views/users/index.html.erb b/test/apps/rails3.1/app/views/users/index.html.erb index d0931539..84dabe06 100644 --- a/test/apps/rails3.1/app/views/users/index.html.erb +++ b/test/apps/rails3.1/app/views/users/index.html.erb @@ -12,18 +12,7 @@ -<% @users.each do |user| %> - - <%= user.name %> - <%= user.bio %> - <%= user.password %> - <%= user.email %> - <%= user.role %> - <%= link_to 'Show', user %> - <%= link_to 'Edit', edit_user_path(user) %> - <%= link_to 'Destroy', user, :confirm => 'Are you sure?', :method => :delete %> - -<% end %> + <%= render 'user', :collection => @users %>
diff --git a/test/tests/test_rails3.rb b/test/tests/test_rails3.rb index d5b761f4..ec77a529 100644 --- a/test/tests/test_rails3.rb +++ b/test/tests/test_rails3.rb @@ -335,7 +335,7 @@ class Rails3Tests < Test::Unit::TestCase assert_warning :type => :template, :warning_type => "Cross Site Scripting", :line => 1, - :message => /^Unescaped model attribute near line 1: \(/, + :message => /^Unescaped model attribute near line 1: User.new.first_name/, :confidence => 0, :file => /_user\.html\.erb/ end diff --git a/test/tests/test_rails31.rb b/test/tests/test_rails31.rb index 74fd7e16..5474b6de 100644 --- a/test/tests/test_rails31.rb +++ b/test/tests/test_rails31.rb @@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase def expected @expected ||= { :model => 0, - :template => 16, + :template => 17, :controller => 1, :warning => 48 } end @@ -527,6 +527,15 @@ class Rails31Tests < Test::Unit::TestCase :file => /\/g\.html\.erb/ end + def test_model_name_in_collection_xss + assert_warning :type => :template, + :warning_type => "Cross Site Scripting", + :line => 1, + :message => /^Unescaped model attribute near line 1: User\.new\.bio/, + :confidence => 0, + :file => /_bio\.html\.erb/ + end + def test_xss_multiple_exp_in_string_interpolation assert_warning :type => :template, :warning_type => "Cross Site Scripting", -- GitLab