diff options
Diffstat (limited to 'spec/support/shared_examples/lib/banzai/filters')
-rw-r--r-- | spec/support/shared_examples/lib/banzai/filters/sanitization_filter_shared_examples.rb | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/spec/support/shared_examples/lib/banzai/filters/sanitization_filter_shared_examples.rb b/spec/support/shared_examples/lib/banzai/filters/sanitization_filter_shared_examples.rb index b5c07f45d59..47655f86558 100644 --- a/spec/support/shared_examples/lib/banzai/filters/sanitization_filter_shared_examples.rb +++ b/spec/support/shared_examples/lib/banzai/filters/sanitization_filter_shared_examples.rb @@ -45,62 +45,62 @@ RSpec.shared_examples 'XSS prevention' do # Adapted from the Sanitize test suite: http://git.io/vczrM protocols = { 'protocol-based JS injection: simple, no spaces' => { - input: '<a href="javascript:alert(\'XSS\');">foo</a>', + input: '<a href="javascript:alert(\'XSS\');">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: simple, spaces before' => { - input: '<a href="javascript :alert(\'XSS\');">foo</a>', + input: '<a href="javascript :alert(\'XSS\');">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: simple, spaces after' => { - input: '<a href="javascript: alert(\'XSS\');">foo</a>', + input: '<a href="javascript: alert(\'XSS\');">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: simple, spaces before and after' => { - input: '<a href="javascript : alert(\'XSS\');">foo</a>', + input: '<a href="javascript : alert(\'XSS\');">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: preceding colon' => { - input: '<a href=":javascript:alert(\'XSS\');">foo</a>', + input: '<a href=":javascript:alert(\'XSS\');">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', + input: '<a href="javascript:">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: long UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', + input: '<a href="javascript:">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: long UTF-8 encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', + input: '<a href=javascript:alert('XSS')>foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: hex encoding' => { - input: '<a href="javascript:">foo</a>', + input: '<a href="javascript:">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: long hex encoding' => { - input: '<a href="javascript:">foo</a>', + input: '<a href="javascript:">foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: hex encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', + input: '<a href=javascript:alert('XSS')>foo</a>', output: '<a>foo</a>' }, 'protocol-based JS injection: null char' => { - input: "<a href=java\0script:alert(\"XSS\")>foo</a>", + input: "<a href=java\0script:alert(\"XSS\")>foo</a>", output: '<a href="java"></a>' }, @@ -115,7 +115,7 @@ RSpec.shared_examples 'XSS prevention' do }, 'protocol-based JS injection: spaces and entities' => { - input: '<a href="  javascript:alert(\'XSS\');">foo</a>', + input: '<a href="  javascript:alert(\'XSS\');">foo</a>', output: '<a href="">foo</a>' }, |