Commit 9cbadec6 authored by Steffen van Bergerem's avatar Steffen van Bergerem Committed by Benjamin Neff

Move 'XSS via name parameter' to mobile conversation specs

because the desktop view doesn't use the name parameter anymore
parent 2b6465ef
......@@ -17,7 +17,7 @@ describe ConversationsController, :type => :controller do
end
describe "#new modal" do
context "desktop and mobile" do
context "desktop" do
it "succeeds" do
get :new, modal: true
expect(response).to be_success
......@@ -32,14 +32,6 @@ describe ConversationsController, :type => :controller do
get :new, aspect_id: alice.aspects.first.id, modal: true
expect(controller.gon.conversation_prefill).to eq(alice.aspects.first.contacts.map {|c| c.person.as_json })
end
it "does not allow XSS via the name parameter" do
["</script><script>alert(1);</script>",
'"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
get :new, modal: true, name: xss
expect(response.body).not_to include xss
end
end
end
context "mobile" do
......@@ -58,6 +50,14 @@ describe ConversationsController, :type => :controller do
expect(assigns(:contacts_json)).not_to include(alice.contacts.where(receiving: false).first.person.name)
end
it "does not allow XSS via the name parameter" do
["</script><script>alert(1);</script>",
'"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
get :new, modal: true, name: xss
expect(response.body).not_to include xss
end
end
it "does not allow XSS via the profile name" do
xss = "<script>alert(0);</script>"
contact = alice.contacts.first
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment