prevents body comments to accept html a tags, sanitize them out instead as well

2015-09-10 19:05:34 +02:00
parent 31cf51f07a
commit 5ecbe01d47
2 changed files with 4 additions and 3 deletions
--- a/spec/features/comments_spec.rb
+++ b/spec/features/comments_spec.rb
@@ -34,13 +34,14 @@ feature 'Comments' do
  end

  scenario 'Sanitizes comment body for security' do
-    create :comment, commentable: debate, body: "<script>alert('hola')</script> http://madrid.es"
+    create :comment, commentable: debate, body: "<script>alert('hola')</script> <a href=\"javascript:alert('sorpresa!')\">click me<a/> http://madrid.es"

    visit debate_path(debate)

    within first('.comment') do
-      expect(page).to have_content "alert('hola') http://madrid.es"
+      expect(page).to have_content "click me http://madrid.es"
      expect(page).to have_link('http://madrid.es', href: 'http://madrid.es')
+      expect(page).not_to have_link('click me')
    end
  end