spec/bbcoder_spec.rb in bbcoder-1.0.0 vs spec/bbcoder_spec.rb in bbcoder-1.0.1

@@ -1,9 +1,36 @@
 require 'spec_helper'
 
 describe BBCoder do
 
+  context "quotes" do
+    it "displays the quoted party if provided" do
+      string = "[quote=weedman]Said some thing about some stuff[/quote]"
+
+      string.bbcode_to_html.should == <<-EOS
+<fieldset>
+  <legend>weedman says</legend>
+  <blockquote>
+    Said some thing about some stuff
+  </blockquote>
+</fieldset>
+      EOS
+    end
+
+    it "has no legend if no quoted party provided" do
+      string = "[quote]Said some thing about some stuff[/quote]"
+
+      string.bbcode_to_html.should == <<-EOS
+<fieldset>
+  <blockquote>
+    Said some thing about some stuff
+  </blockquote>
+</fieldset>
+      EOS
+    end
+  end
+
   context "with dirty input" do
     it "should parse content with \" in it" do
       '[p]Text phrase: "going away"[/p]'.bbcode_to_html.should == '<p>Text phrase: "going away"</p>'
     end
 
@@ -18,11 +45,11 @@
     it "should parse content with } in it round 2" do
       string = "[quote=weedman]YES I STICKY IT ALL oF YOU WHO DON'T LIKE it SEND YOUR HATE HERE\n\nhttp://www.gamesyn.com/plugin.php?plugin=PrivateMessages&file=message_send.php&id=20&tid=1583\n\n:} have a good day[/quote]"
 
       result = <<-EOS
 <fieldset>
-<legend>weedman says</legend>
+  <legend>weedman says</legend>
   <blockquote>
     YES I STICKY IT ALL oF YOU WHO DON\'T LIKE it SEND YOUR HATE HERE\n\nhttp://www.gamesyn.com/plugin.php?plugin=PrivateMessages&file=message_send.php&id=20&tid=1583\n\n:} have a good day
   </blockquote>
 </fieldset>
 EOS
@@ -65,11 +92,10 @@
 
     it "should parse a combination of statements" do
       output = "[p]Text and now [b]bold then [i]italics[/i][/b][/p] and then a [quote]Quote[/quote]".bbcode_to_html
       output.should == <<-EOS
 <p>Text and now <strong>bold then <em>italics</em></strong></p> and then a <fieldset>
-<legend> says</legend>
   <blockquote>
     Quote
   </blockquote>
 </fieldset>
 EOS
@@ -147,9 +173,50 @@
       "[img]image.exe[/img]".bbcode_to_html.should == "[img]image.exe[/img]"
     end
 
     it "should handle an img tag match for meta" do
       "[img=image.exe]".bbcode_to_html.should == "[img=image.exe]"
+    end
+  end
+
+  context "with xss attacks" do
+    it "should reject anything other than http/https for url tags" do
+      "[url=javascript:alert('You got hacked!')]hacked[/url]".bbcode_to_html.should == "[url=javascript:alert('You got hacked!')]hacked[/url]"
+      "[url]javascript:alert('You got hacked!')[/url]".bbcode_to_html.should == "[url]javascript:alert('You got hacked!')[/url]"
+
+      '[url=javascript:window.alert("You got hacked!")]click[/url]'.bbcode_to_html.should == '[url=javascript:window.alert("You got hacked!")]click[/url]'
+    end
+
+    it "should reject anything other than http/https for img tags" do
+      "[img=javascript:alert('XSS');jpg]".bbcode_to_html.should == "[img=javascript:alert('XSS');jpg]"
+      "[img]javascript:alert('XSS');png[/img]".bbcode_to_html.should == "[img]javascript:alert('XSS');png[/img]"
+      '[img]javascript:window.alert("You got hacked!")//.jpg[/img]'.bbcode_to_html.should == '[img]javascript:window.alert("You got hacked!")//.jpg[/img]'
+
+      attack = "[img]
+j
+a
+v
+a
+s
+c
+r
+i
+p
+t
+:
+a
+l
+e
+r
+t
+(
+'
+X
+S
+S
+'
+);jpg[/img]"
+        attack.bbcode_to_html.should == attack
     end
   end
 end