consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0f485308b73193afd3d9a10f2fca3f39d04f5cc3
nairobi/spec/features/xss_spec.rb
Javi Martín 0f485308b7 Sanitize CKEditor content before displaying it 
It's possible to create a newsletter or a proposed action with
<script> tags by filling in the body using a textarea instead of a
CKEditor. While we trust our administrators not to do so, it's better to
completely eliminate that possibility.
2019-10-08 18:46:20 +02:00

45 lines
1.3 KiB
Ruby
Raw Blame History

require "rails_helper"
describe "Cross-Site Scripting protection", :js do
let(:attack_code) { "<script>document.body.remove()</script>" }
scenario "valuators in admin investments index" do
hacker = create(:user, username: attack_code)
investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
login_as(create(:administrator).user)
visit admin_budget_budget_investments_path(investment.budget)
expect(page.text).not_to be_empty
end
scenario "document title" do
process = create(:legislation_process)
create(:document, documentable: process, title: attack_code)
visit legislation_process_path(process)
expect(page.text).not_to be_empty
end
scenario "hacked translations" do
I18nContent.create(key: "admin.budget_investments.index.list.title", value: attack_code)
login_as(create(:administrator).user)
visit admin_budget_budget_investments_path(create(:budget_investment).budget)
expect(page.text).not_to be_empty
end
scenario "proposal actions in dashboard" do
proposal = create(:proposal)
create(:dashboard_action, description: attack_code)
login_as(proposal.author)
visit recommended_actions_proposal_dashboard_path(proposal)
expect(page.text).not_to be_empty
end
end
Reference in New Issue View Git Blame Copy Permalink