[rspec-users] Testing for cross site scripting, etc.

barsalou barjunk at attglobal.net
Tue Jun 19 17:39:58 EDT 2007

Responding to:
 From court3nay at gmail.com  Mon Jun 18 20:23:37 2007
From: court3nay at gmail.com (Courtenay)
Date: Mon, 18 Jun 2007 17:23:37 -0700
Subject: [rspec-users] Testing for cross site scripting, etc.
In-Reply-To: <8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com>
References: <20070618140657.8bokw24dssko8gko at lcgalaska.com>
	<8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com>
Message-ID: <4b430c8f0706181723o3ae007a7nc96a705480538e3c at mail.gmail.com>

On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > Being new to testing and ruby, are there "standard" tests that can be
> > done that test for things like cross site scripting and friends?
> >
> I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS)
> XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> sure how you think RSpec is relevant. Unless you want to use Watir or
> Selenium-RC, which allows you to talk to a browser from Ruby (and
> RSpec)

I'd say they want to assert, in the views, that user-generated input
does not render script tags.

Like if I set my user info to be <script>alert('cookie!');</script> it
should appear in the view as &lt;script&gt;alert and so on.

Maybe in the view spec

  response.should not_have_tag('script')


This is exactly the kind of thing I was looking for.  I do have a 
question though.

Do the two lines above really test anything?  or were you just showing 
an example of what I might do?

Also, the fact that you wrote the dumbass plugin makes me wonder why 
<%=h user.name =%> is needed?  I get what your doing, but why doesn't 
escaping happen in the form?  Aren't there protections already 
built-in, especially in rails, to escape form fields?

Can you do this same sort of thing for SQL injection problem as well?  Mike B.

This message was sent using IMP, the Internet Messaging Program.

More information about the rspec-users mailing list