diff options
Diffstat (limited to 'spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb')
| -rw-r--r-- | spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb new file mode 100644 index 00000000000..ed94a71892d --- /dev/null +++ b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'sanitizable' do |factory, fields| + let(:attributes) { fields.to_h { |field| [field, input] } } + + it 'includes Sanitizable' do + expect(described_class).to include(Sanitizable) + end + + fields.each do |field| + subject do + record = build(factory, attributes) + record.valid? + + record.public_send(field) + end + + describe "##{field}" do + context 'when input includes javascript tags' do + let(:input) { 'hello<script>alert(1)</script>' } + + it 'gets sanitized' do + expect(subject).to eq('hello') + end + end + end + + describe "##{field} validation" do + context 'when input contains pre-escaped html entities' do + let_it_be(:input) { '<script>alert(1)</script>' } + + subject { build(factory, attributes) } + + it 'is not valid', :aggregate_failures do + expect(subject).not_to be_valid + expect(subject.errors.details[field].flat_map(&:values)).to include('cannot contain escaped HTML entities') + end + end + end + end +end |