Add test for `model.attribute.to_i` in XSS

fa40239c · Justin Collins · b8f9a415 · fa40239c · fa40239c
隐藏空白更改
内联并排

Showing with 13 addition and 0 deletion

test/apps/rails2/app/views/other/test_to_i.html.erb test/apps/rails2/app/views/other/test_to_i.html.erb +4 -0

test/tests/test_rails2.rb test/tests/test_rails2.rb +9 -0

未找到文件。
--- a/test/apps/rails2/app/views/other/test_to_i.html.erb
+++ b/test/apps/rails2/app/views/other/test_to_i.html.erb
@@ -3,3 +3,7 @@
 <%= request.env[:QUERY_STRING].to_i %>

 <%= out @id %>
+
+<%= User.current.age.to_i %>
+
+<%= out Account.current.number.to_i %>
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -815,4 +815,13 @@ class Rails2Tests < Test::Unit::TestCase
      :confidence => 0,
      :file => /test_to_i\.html\.erb/
  end
+
+  def test_xss_with_model_attribute_to_i
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 7,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 1,
+      :file => /test_to_i\.html\.erb/
+  end
 end