Sha256: e1b376e293230a5f5cb400bf908fda8c4140dc31a9009908e66a0bbbb15f27f6

Contents?: true

Size: 1.36 KB

Versions: 2

Compression:

Stored size: 1.36 KB

Contents

require 'spec_helper'

describe Locomotive::Steam::Liquid::Drops::Params do

  let(:params)    { { 'foo' => '42' } }
  let(:drop)      { described_class.new(params) }

  it { expect(drop.before_method('bar').to_s).to eq '' }

  it { expect(drop.before_method('foo').to_s).to eq '42' }

  describe 'prevent XSS attack' do

    context 'passing data from Liquid to HTML' do

      let(:params) { { 'foo' => 'Hello<script>alert(document.cookie)</script>' } }

      it { expect(drop.before_method('foo').to_s).to eq 'Hello&lt;script&gt;alert(document.cookie)&lt;/script&gt;' }

      context 'security is disabled' do

        it { expect(drop.before_method('foo').html_safe).to eq 'Hello<script>alert(document.cookie)</script>' }

      end

    end

    context 'passing data from Liquid to Javascript' do

      let(:params) { { 'foo' => "'+alert(document.cookie)+'" } }

      it { expect(drop.before_method('foo').to_s).to eq '&#39;+alert(document.cookie)+&#39;' }

    end

  end

  describe 'gives access to the Hash object through the unsafe method' do

    let(:params) { { 'foo' => 'hello', 'bar' => 'world' } }

    it 'expects to respond to []' do
      expect(drop.unsafe['foo']).to eq('hello')
    end

    it 'expects to respond to each_pair' do
      memo = []
      drop.unsafe.each_pair { |p| memo << p.last }
      expect(memo.join(' ')).to eq 'hello world'
    end

  end

end

Version data entries

2 entries across 2 versions & 1 rubygems

Version Path
locomotivecms_steam-1.5.0.rc0 spec/unit/liquid/drops/params_spec.rb
locomotivecms_steam-1.5.0.beta3 spec/unit/liquid/drops/params_spec.rb