Add tests for `content_tag`

dcc2cc2e · Justin Collins · a4fc0bbd · dcc2cc2e · dcc2cc2e · dcc2cc2e
5 changed file
--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
@@ -141,6 +141,10 @@ class HomeController < ApplicationController
    @user = User.find(current_user)
  end

+  def test_content_tag
+    @user = User.find(current_user)
+  end
+
  private

  def filter_it

--- a/test/apps/rails2/app/views/home/test_content_tag.html.erb
+++ b/test/apps/rails2/app/views/home/test_content_tag.html.erb
+Should not warn
+<%= content_tag :p, h(params[:something]) %>
+
+Should warn
+<%= content_tag :span, @user.name %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] }, true %>
+
+Should warn
+<%= content_tag :div, "Blah!", { cookies[:weird] => "bad idea" } %>
+
+Should not warn
+<%= content_tag :h1, params[:x] == 1 ? "totally" : "safe" %>
+
+Should still warn
+<%= content_tag :div, "Blah!", { @user.something => "bad idea"}, true %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] } %>
+
+Should warn
+<%= content_tag :div, "Blah!", { :id => @user.name }, false %>
+
+Should warn, medium confidence
+<%= content_tag :div, x(params[:maybe_bad]) %>
--- a/test/apps/rails3/app/controllers/home_controller.rb
+++ b/test/apps/rails3/app/controllers/home_controller.rb
@@ -92,6 +92,10 @@ class HomeController < ApplicationController
    y + 1 + 2
  end

+  def test_content_tag
+    @user = User.find(current_user)
+  end
+
  private

  def filter_it

--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 33,
+        :template => 38,
        :warning => 31}
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 33,
+        :template => 38,
        :warning => 32 }
    end
  end
@@ -651,6 +651,69 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /test_strip_tags\.html\.erb/
  end

+  def test_xss_content_tag_body
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 5,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_escaped
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 8,
+      :message => /^Unescaped\ cookie\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_attribute_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 11,
+      :message => /^Unescaped\ cookie\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_attribute_name_even_with_escape_set
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 17,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_cross_site_scripting_escaped_by_default
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 20,
+      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_unescaped_on_purpose
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 23,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_indirect_body
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 26,
+      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
+      :confidence => 1,
+      :file => /test_content_tag\.html\.erb/
+  end
+
  def test_cross_site_scripting_single_quotes_CVE_2012_3464
    assert_warning :type => :warning,
      :warning_type => "Cross Site Scripting",

--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
    @expected ||= {
      :controller => 1,
      :model => 5,
-      :template => 23,
+      :template => 27,
      :warning => 29
    }
  end
@@ -586,6 +586,42 @@ class Rails3Tests < Test::Unit::TestCase
      :file => /_form\.html\.erb/
  end

+  def test_xss_content_tag_raw_content
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 8,
+      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_attribute_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 14,
+      :message => /^Unescaped\ cookie\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_attribute_name_even_with_escape
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 20,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_xss_content_tag_unescaped_attribute
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 26,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end 
+
  def test_cross_site_scripting_request_parameters
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",