Sha256: 11d4b367351d6f7a249c4fdf1355b26160d122857b3211a59bb7d29932d263a4
Contents?: true
Size: 1.4 KB
Versions: 6
Compression:
Stored size: 1.4 KB
Contents
ActiveSupport::TestCase.class_eval do
def self.should_whitelist(*attributes)
bad_scripts = [
%|';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>|,
%|'';!--"<XSS>=&{()}|,
%|<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>|,
%|<IMG SRC="javascript:alert('XSS');">|,
%|<IMG SRC=javascript:alert('XSS')>|,
%|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
%|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
%|<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>|,
%|<IMG """><SCRIPT>alert("XSS")</SCRIPT>">|,
%|<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>|,
%|<A HREF="h
tt p://6	6.000146.0x7.147/">XSS</A>|,
%|<script>alert('message');</script>| ]
klass = model_class
attributes.each do |attribute|
attribute = attribute.to_sym
should "white list #{attribute}" do
assert object = klass.find(:first), "Can't find first #{klass}"
bad_scripts.each do |bad_value|
object.send("#{attribute}=", bad_value)
object.save
clean_value = object.send("#{attribute}")
assert !clean_value.include?(bad_value), "#{attribute} is not white listed. #{bad_value} made it through"
end
end
end
end
end
Version data entries
6 entries across 6 versions & 1 rubygems