spec/lib/onebox/preview_spec.rb in onebox-1.7.3 vs spec/lib/onebox/preview_spec.rb in onebox-1.7.4
- old
+ new
@@ -80,6 +80,21 @@
describe "#engine" do
it "returns an engine" do
expect(preview.send(:engine)).to be_an(Onebox::Engine)
end
end
+
+ describe "xss" do
+ let(:xss) { "wat' onerror='alert(/XSS/)" }
+ let(:img_html) { "<img src='#{xss}'>" }
+
+ it "prevents XSS" do
+ preview = described_class.new(preview_url)
+ preview.expects(:engine_html).returns(img_html)
+
+ result = preview.to_s
+ expect(result).not_to match(/onerror/)
+ end
+
+ end
+
end