spec/lib/onebox/engine_spec.rb in onebox-1.5.21 vs spec/lib/onebox/engine_spec.rb in onebox-1.5.22

@@ -19,13 +19,19 @@
 
   describe "#link" do
     before { allow(Onebox::View).to receive(:template) { %|this shold be a template| } }
 
     it "escapes `link`" do
-      html = OneboxEngineExample.new(%|http://foo.com" onscript="alert('foo')|).to_html
-      expect(html).not_to include(%|onscript="alert('foo')|)
+      html = OneboxEngineExample.new(%|http://foo.com/'?a=1&b=2|).to_html
+      expect(html).not_to match(/&(?!amp;)(?!#39;)/)
     end
+
+    it "escapes xss" do
+      skip 'this is checking the wrong thing'
+      html = OneboxEngineExample.new(%|http://foo.com/'?%20onmouseover=alert(/foo/)|).to_html
+      expect(html).not_to include(%|onmouseover=alert(/foo/)|)
+    end
   end
 
   describe "#record" do
     class OneboxEngineRecord
       include Onebox::Engine
@@ -64,9 +70,23 @@
       result = OneboxEngineTripleEqual === URI("http://www.example.com/product/5?var=foo&bar=5")
       expect(result).to eq(true)
     end
   end
 
+  class AlwaysHttpsEngineExample < OneboxEngineExample
+    always_https
+  end
+
+  describe "always_https" do
+    it "never returns a plain http url" do
+      url = 'http://play.google.com/store/apps/details?id=com.google.android.inputmethod.latin'
+      onebox = AlwaysHttpsEngineExample.new(url)
+      result = onebox.to_html
+      expect(result).to_not match(/http(?!s)/)
+      expect(result).to_not match(/['"]\/\//)
+      expect(result).to match(/https/)
+    end
+  end
 end
 
 describe ".onebox_name" do
   module ScopeForTemplateName
     class TemplateNameOnebox