add unit test of escaping image urls (#9245)

author Toshi MARUYAMA <marutosijp2@yahoo.co.jp>

Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)

committer Toshi MARUYAMA <marutosijp2@yahoo.co.jp>

Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)
author Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)
committer Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)
diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb

index f226fca4ede12a5783553b7e2e2998da632eb3c8..4d9f90518fb543528481abab93734e25c22f11dd 100644 (file)
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -197,6 +197,13 @@ EXPECTED
      assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
    end
  
+  def test_textile_should_escape_image_urls
+    # this is onclick="alert('XSS');" in encoded form
+    raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
+    expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
+    assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+  end
+
    private
  
    def assert_html_output(to_test, expect_paragraph = true)
author	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
	Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)
committer	Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
	Wed, 2 Nov 2011 07:35:51 +0000 (07:35 +0000)