some more specs

PragTob · PragTob · commit aa9e194a7af3 · 2020-02-04T17:06:47.000+01:00
diff --git a/spec/usage/base/xss_spec.rb b/spec/usage/base/xss_spec.rb
@@ -34,20 +34,42 @@ def response
       # but since we accepted an alert to get here this test should be fine
     end
 
+    # note that `heading do "string" end` doesn't work and you
+    # should rather use `heading do plain "string" end`
+    # Why the hell is this tested then?
+    # Well if that behavior changed I'd like to have a reminder
+    # here to catch it. Call me overly cautious.
+    it "escaping won't be broken in block form (if it worked)" do
+      class ExamplePage < Matestack::Ui::Page
+        def response
+          components {
+            heading do
+              XSS::EVIL_SCRIPT
+            end
+          }
+        end
+      end
+
+      visit "/example"
+
+      static_output = page.html
+      expect(static_output).not_to include("alert(")
+    end
+
     it "escapes the evil when injecting into attributes" do
       class ExamplePage < Matestack::Ui::Page
 
         def response
           components {
-            heading text: "Be Safe!", id: "something-\"#{XSS::EVIL_SCRIPT}"
+            heading text: "Be Safe!", id: "something-\">#{XSS::EVIL_SCRIPT}"
           }
         end
 
       end
 
       visit "/example"
 
-      expect(page.html).to include("id=\"something-&quot;<script>alert('hello');</script>")
+      expect(page.html).to include("id=\"something-&quot;><script>alert('hello');</script>")
     end
   end
 end
diff --git a/spec/usage/components/absolute_spec.rb b/spec/usage/components/absolute_spec.rb
@@ -28,4 +28,26 @@ def response
     expect(stripped(static_output)).to include(stripped(expected_static_output))
   end
 
+  describe "XSSing" do
+    it "escaping" do
+      class ExamplePage < Matestack::Ui::Page
+
+        def response
+          components {
+            absolute top: 50, left: '50px;">' + XSS::EVIL_SCRIPT, right: 50, bottom: 100, z: 3 do
+              plain 'I am absolute content'
+            end
+          }
+        end
+
+      end
+
+      visit '/example'
+
+      static_output = page.html
+
+      expect(static_output).not_to include("alert")
+    end
+  end
+
 end
