Loading spec/controllers/conversations_controller_spec.rb +9 −9 Original line number Diff line number Diff line Loading @@ -17,7 +17,7 @@ describe ConversationsController, :type => :controller do end describe "#new modal" do context "desktop and mobile" do context "desktop" do it "succeeds" do get :new, modal: true expect(response).to be_success Loading @@ -32,14 +32,6 @@ describe ConversationsController, :type => :controller do get :new, aspect_id: alice.aspects.first.id, modal: true expect(controller.gon.conversation_prefill).to eq(alice.aspects.first.contacts.map {|c| c.person.as_json }) end it "does not allow XSS via the name parameter" do ["</script><script>alert(1);</script>", '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| get :new, modal: true, name: xss expect(response.body).not_to include xss end end end context "mobile" do Loading @@ -58,6 +50,14 @@ describe ConversationsController, :type => :controller do expect(assigns(:contacts_json)).not_to include(alice.contacts.where(receiving: false).first.person.name) end it "does not allow XSS via the name parameter" do ["</script><script>alert(1);</script>", '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| get :new, modal: true, name: xss expect(response.body).not_to include xss end end it "does not allow XSS via the profile name" do xss = "<script>alert(0);</script>" contact = alice.contacts.first Loading Loading
spec/controllers/conversations_controller_spec.rb +9 −9 Original line number Diff line number Diff line Loading @@ -17,7 +17,7 @@ describe ConversationsController, :type => :controller do end describe "#new modal" do context "desktop and mobile" do context "desktop" do it "succeeds" do get :new, modal: true expect(response).to be_success Loading @@ -32,14 +32,6 @@ describe ConversationsController, :type => :controller do get :new, aspect_id: alice.aspects.first.id, modal: true expect(controller.gon.conversation_prefill).to eq(alice.aspects.first.contacts.map {|c| c.person.as_json }) end it "does not allow XSS via the name parameter" do ["</script><script>alert(1);</script>", '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| get :new, modal: true, name: xss expect(response.body).not_to include xss end end end context "mobile" do Loading @@ -58,6 +50,14 @@ describe ConversationsController, :type => :controller do expect(assigns(:contacts_json)).not_to include(alice.contacts.where(receiving: false).first.person.name) end it "does not allow XSS via the name parameter" do ["</script><script>alert(1);</script>", '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss| get :new, modal: true, name: xss expect(response.body).not_to include xss end end it "does not allow XSS via the profile name" do xss = "<script>alert(0);</script>" contact = alice.contacts.first Loading
