consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Explicitly disable JS when testing JS injection

Browse Source 
CKEditor already comes with JS injection protection, so potential
attackers will most likely disable CKEditor.
This commit is contained in:
Javi Martín
2021-03-27 00:51:26 +01:00
parent 45f2abcb1c
commit 0b7014b7d7
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
spec/system/debates_spec.rb
View File

@@ -263,7 +263,7 @@ describe "Debates" do
expect(page).to have_content error_message
end
scenario "JS injection is prevented but safe html is respected" do
scenario "JS injection is prevented but safe html is respected", :no_js do
author = create(:user)
login_as(author)
@@ -297,7 +297,7 @@ describe "Debates" do
expect(page).to have_link("www.example.org", href: "http://www.example.org")
end
scenario "JS injection is prevented but autolinking is respected" do
scenario "JS injection is prevented but autolinking is respected", :no_js do
author = create(:user)
js_injection_string = "<script>alert('hey')</script> <a href=\"javascript:alert('surprise!')\">click me<a/> http://example.org"
login_as(author)

4
spec/system/proposals_spec.rb
View File

@@ -482,7 +482,7 @@ describe "Proposals" do
expect(page).to have_content error_message
end
scenario "JS injection is prevented but safe html is respected" do
scenario "JS injection is prevented but safe html is respected", :no_js do
author = create(:user)
login_as(author)
@@ -526,7 +526,7 @@ describe "Proposals" do
expect(page).to have_link("www.example.org", href: "http://www.example.org")
end
scenario "JS injection is prevented but autolinking is respected" do
scenario "JS injection is prevented but autolinking is respected", :no_js do
author = create(:user)
js_injection_string = "<script>alert('hey')</script> <a href=\"javascript:alert('surprise!')\">click me<a/> http://example.org"
login_as(author)