From b26c59d2b8ed63521c4d7a2bd9bf537df5229b18 Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Fri, 31 Aug 2012 11:04:31 -0700
Subject: [PATCH] Add test for XSS in `content_tag` tag name

Also commit Rails 3 test file which I forgot, oops
---
 .../app/views/home/test_content_tag.html.erb  | 35 +++++++++++++++++++
 test/tests/test_rails3.rb                     | 20 ++++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 test/apps/rails3/app/views/home/test_content_tag.html.erb

diff --git a/test/apps/rails3/app/views/home/test_content_tag.html.erb b/test/apps/rails3/app/views/home/test_content_tag.html.erb
new file mode 100644
index 00000000..282dbe42
--- /dev/null
+++ b/test/apps/rails3/app/views/home/test_content_tag.html.erb
@@ -0,0 +1,35 @@
+Should not warn
+<%= content_tag :p, h(params[:something]) %>
+
+Should not warn
+<%= content_tag :span, @user.name %>
+
+Should warn
+<%= content_tag :span, raw(params[:blah]) %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] }, true %>
+
+Should warn
+<%= content_tag :div, "Blah!", { cookies[:weird] => "bad idea" } %>
+
+Should not warn
+<%= content_tag :h1, params[:x] == 1 ? "totally" : "safe" %>
+
+Should still warn
+<%= content_tag :div, "Blah!", { @user.something => "bad idea"}, true %>
+
+Should not warn
+<%= content_tag :div, "Blah!", { :class => params[:class] } %>
+
+Should warn
+<%= content_tag :div, "Blah!", { :id => @user.name }, false %>
+
+Should not warn
+<%= content_tag :div, x(params[:maybe_bad]) %>
+
+Should warn
+<%= content_tag params[:whyyy], "Don't do this" %>
+
+Should warn
+<%= content_tag @user.preferred_markup, "Seriously" %>
diff --git a/test/tests/test_rails3.rb b/test/tests/test_rails3.rb
index 990308b8..f0f64045 100644
--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
     @expected ||= {
       :controller => 1,
       :model => 5,
-      :template => 27,
+      :template => 29,
       :warning => 29
     }
   end
@@ -622,6 +622,24 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /test_content_tag\.html\.erb/
   end 
 
+  def test_xss_content_tag_in_tag_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 32,
+      :message => /^Unescaped\ parameter\ value\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
+  def test_cross_site_scripting_model_in_tag_name
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 35,
+      :message => /^Unescaped\ model\ attribute\ in\ content_tag/,
+      :confidence => 0,
+      :file => /test_content_tag\.html\.erb/
+  end
+
   def test_cross_site_scripting_request_parameters
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",
-- 
GitLab