require "rails_helper" describe "Cross-Site Scripting protection", :js do let(:attack_code) { "" } scenario "valuators in admin investments index" do hacker = create(:user, username: attack_code) investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)]) login_as(create(:administrator).user) visit admin_budget_budget_investments_path(investment.budget) expect(page.text).not_to be_empty end scenario "document title" do process = create(:legislation_process) create(:document, documentable: process, title: attack_code) visit legislation_process_path(process) expect(page.text).not_to be_empty end scenario "hacked translations" do I18nContent.create(key: "admin.budget_investments.index.list.title", value: attack_code) login_as(create(:administrator).user) visit admin_budget_budget_investments_path(create(:budget_investment).budget) expect(page.text).not_to be_empty end scenario "proposal actions in dashboard" do proposal = create(:proposal) create(:dashboard_action, description: attack_code) login_as(proposal.author) visit recommended_actions_proposal_dashboard_path(proposal) expect(page.text).not_to be_empty end scenario "annotation context" do annotation = create(:legislation_annotation) annotation.update_column(:context, attack_code) visit polymorphic_hierarchy_path(annotation) expect(page.text).not_to be_empty end scenario "valuation explanations" do investment = create(:budget_investment, price_explanation: attack_code) valuator = create(:valuator, investments: [investment]) login_as(valuator.user) visit valuation_budget_budget_investment_path(investment.budget, investment) expect(page.text).not_to be_empty end end