Add test for XSS in `content_tag` tag name

Also commit Rails 3 test file which I forgot, oops

Add test for XSS in `content_tag` tag name
Also commit Rails 3 test file which I forgot, oops
b26c59d2 · Justin Collins · ef60d0d6 · b26c59d2 · b26c59d2
隐藏空白更改
内联并排

Showing with 54 addition and 1 deletion

test/apps/rails3/app/views/home/test_content_tag.html.erb test/apps/rails3/app/views/home/test_content_tag.html.erb +35 -0

test/tests/test_rails3.rb test/tests/test_rails3.rb +19 -1

未找到文件。
--- a/test/apps/rails3/app/views/home/test_content_tag.html.erb
+++ b/test/apps/rails3/app/views/home/test_content_tag.html.erb
+Should not warn
+<%= content_tag :p, h(params[:something]) %>
+
+Should not warn
+<%= content_tag :span, @user.name %>
+
+Should warn
+<%= content_tag :span, raw(params[:blah]) %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] }, true %>
+
+Should warn
+<%= content_tag :div, "Blah!", { cookies[:weird] => "bad idea" } %>
+
+Should not warn
+<%= content_tag :h1, params[:x] == 1 ? "totally" : "safe" %>
+
+Should still warn
+<%= content_tag :div, "Blah!", { @user.something => "bad idea"}, true %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] } %>
+
+Should warn
+<%= content_tag :div, "Blah!", { :id => @user.name }, false %>
+
+Should not warn
+<%= content_tag :div, x(params[:maybe_bad]) %>
+
+Should warn
+<%= content_tag params[:whyyy], "Don't do this" %>
+
+Should warn
+<%= content_tag @user.preferred_markup, "Seriously" %>
--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
    @expected ||= {
      :controller => 1,
      :model => 5,
-      :template => 27,
+      :template => 29,
      :warning => 29
    }
  end
@@ -622,6 +622,24 @@ class Rails3Tests < Test::Unit::TestCase
      :file => /test_content_tag\.html\.erb/
  end 

+  def test_xss_content_tag_in_tag_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 32,
+      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_cross_site_scripting_model_in_tag_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 35,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
  def test_cross_site_scripting_request_parameters
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",