[rspec-users] Testing for cross site scripting, etc.

aslak hellesoy aslak.hellesoy at gmail.com
Tue Jun 19 02:51:45 EDT 2007


On 6/19/07, Courtenay <court3nay at gmail.com> wrote:
> On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> > On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > > Being new to testing and ruby, are there "standard" tests that can be
> > > done that test for things like cross site scripting and friends?
> > >
> >
> > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS)
> >
> > XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> > sure how you think RSpec is relevant. Unless you want to use Watir or
> > Selenium-RC, which allows you to talk to a browser from Ruby (and
> > RSpec)
>
> I'd say they want to assert, in the views, that user-generated input
> does not render script tags.
>
> Like if I set my user info to be <script>alert('cookie!');</script> it
> should appear in the view as &lt;script&gt;alert and so on.
>
> Maybe in the view spec
>
>   @user.stub!(:info).and_return('<script>foo</script>')
>   response.should not_have_tag('script')
>

Oh I see. Your example sounds like a good way to prevent against it.

Aslak

> Right?
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>


More information about the rspec-users mailing list