00a6f5b601
Using `<%==` is the same as using `raw`. I'm not sure if we meant `sanitize` in this case, or it's just a typo. I'm assuming the latter since we don't use anything similar in any other places.
100 lines
2.7 KiB
Ruby
100 lines
2.7 KiB
Ruby
require "rails_helper"
|
|
|
|
describe "Cross-Site Scripting protection", :js do
|
|
let(:attack_code) { "<script>document.body.remove()</script>" }
|
|
|
|
scenario "valuators in admin investments index" do
|
|
hacker = create(:user, username: attack_code)
|
|
investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
|
|
|
|
login_as(create(:administrator).user)
|
|
visit admin_budget_budget_investments_path(investment.budget)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "document title" do
|
|
process = create(:legislation_process)
|
|
create(:document, documentable: process, title: attack_code)
|
|
|
|
visit legislation_process_path(process)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "hacked translations" do
|
|
I18nContent.create(key: "admin.budget_investments.index.list.title", value: attack_code)
|
|
|
|
login_as(create(:administrator).user)
|
|
visit admin_budget_budget_investments_path(create(:budget_investment).budget)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "accept terms label" do
|
|
I18nContent.create(key: "form.accept_terms", value: attack_code)
|
|
|
|
login_as(create(:user))
|
|
visit new_debate_path
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "link to sign in" do
|
|
I18nContent.create(key: "budgets.investments.index.sidebar.not_logged_in", value: attack_code)
|
|
create(:budget, phase: "accepting")
|
|
|
|
visit budgets_path
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "proposal actions in dashboard" do
|
|
proposal = create(:proposal)
|
|
|
|
create(:dashboard_action, description: attack_code)
|
|
|
|
login_as(proposal.author)
|
|
visit recommended_actions_proposal_dashboard_path(proposal)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "poll description setting in dashboard" do
|
|
Setting["proposals.poll_description"] = attack_code
|
|
proposal = create(:proposal)
|
|
|
|
login_as(proposal.author)
|
|
visit proposal_dashboard_polls_path(proposal)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "annotation context" do
|
|
annotation = create(:legislation_annotation)
|
|
annotation.update_column(:context, attack_code)
|
|
|
|
visit polymorphic_hierarchy_path(annotation)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "valuation explanations" do
|
|
investment = create(:budget_investment, price_explanation: attack_code)
|
|
valuator = create(:valuator, investments: [investment])
|
|
|
|
login_as(valuator.user)
|
|
visit valuation_budget_budget_investment_path(investment.budget, investment)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
|
|
scenario "markdown conversion" do
|
|
process = create(:legislation_process, description: attack_code)
|
|
|
|
visit legislation_process_path(process)
|
|
|
|
expect(page.text).not_to be_empty
|
|
end
|
|
end
|