Use a case-insensitive comparison in sanitizing URI schemes

Closes #1625
author: Stan Hu <stanhu@gmail.com> 2016-05-07 20:56:08 +0300
committer: Stan Hu <stanhu@gmail.com> 2016-05-09 22:47:53 +0300
commit: 849cc380d8f2ed895bde11c01987e6633bc3d567 (patch)
tree: 76de46e4b15969b09b3fa235642e160203a0a112 /spec/lib
parent: 93b4a3a1561839f42b03755b071296b926f6e7a5 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 27ce312b11c..b38e3b17e64 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -22,6 +22,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
       expect(filter(act).to_html).to eq exp
     end
 
+    it 'sanitizes mixed-cased javascript in attributes' do
+      act = %q(<a href="javaScript:alert('foo')">Text</a>)
+      exp = '<a>Text</a>'
+      expect(filter(act).to_html).to eq exp
+    end
+
     it 'allows whitelisted HTML tags from the user' do
       exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>"
       expect(filter(act).to_html).to eq exp
author	Stan Hu <stanhu@gmail.com>	2016-05-07 20:56:08 +0300
committer	Stan Hu <stanhu@gmail.com>	2016-05-09 22:47:53 +0300
commit	849cc380d8f2ed895bde11c01987e6633bc3d567 (patch)
tree	76de46e4b15969b09b3fa235642e160203a0a112 /spec/lib
parent	93b4a3a1561839f42b03755b071296b926f6e7a5 (diff)