/test/shoulda_macros/models.rb
Ruby | 34 lines | 32 code | 2 blank | 0 comment | 0 complexity | 0ee28aead7d57bd1dd0aa9ff4e68e904 MD5 | raw file
Possible License(s): MIT
- Test::Unit::TestCase.class_eval do
- def self.should_whitelist(*attributes)
- bad_scripts = [
- %|';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>|,
- %|'';!--"<XSS>=&{()}|,
- %|<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>|,
- %|<IMG SRC="javascript:alert('XSS');">|,
- %|<IMG SRC=javascript:alert('XSS')>|,
- %|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
- %|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
- %|<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>|,
- %|<IMG """><SCRIPT>alert("XSS")</SCRIPT>">|,
- %|<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>|,
- %|<A HREF="h
- tt p://6	6.000146.0x7.147/">XSS</A>|,
- %|<script>alert('message');</script>| ]
-
- klass = model_class
- attributes.each do |attribute|
- attribute = attribute.to_sym
- should "white list #{attribute}" do
- assert object = klass.find(:first), "Can't find first #{klass}"
- bad_scripts.each do |bad_value|
- object.send("#{attribute}=", bad_value)
- object.save
- clean_value = object.send("#{attribute}")
- assert !clean_value.include?(bad_value), "#{attribute} is not white listed. #{bad_value} made it through"
- end
- end
- end
- end
- end