[rspec-users] Testing for cross site scripting, etc.

barsalou barjunk at attglobal.net
Tue Jun 19 17:39:58 EDT 2007



Responding to:
 From court3nay at gmail.com  Mon Jun 18 20:23:37 2007
From: court3nay at gmail.com (Courtenay)
Date: Mon, 18 Jun 2007 17:23:37 -0700
Subject: [rspec-users] Testing for cross site scripting, etc.
In-Reply-To: <8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com>
References: <20070618140657.8bokw24dssko8gko at lcgalaska.com>
	<8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com>
Message-ID: <4b430c8f0706181723o3ae007a7nc96a705480538e3c at mail.gmail.com>

On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > Being new to testing and ruby, are there "standard" tests that can be
> > done that test for things like cross site scripting and friends?
> >
>
> I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS)
>
> XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> sure how you think RSpec is relevant. Unless you want to use Watir or
> Selenium-RC, which allows you to talk to a browser from Ruby (and
> RSpec)

I'd say they want to assert, in the views, that user-generated input
does not render script tags.

Like if I set my user info to be <script>alert('cookie!');</script> it
should appear in the view as &lt;script&gt;alert and so on.

Maybe in the view spec

  @user.stub!(:info).and_return('<script>foo</script>')
  response.should not_have_tag('script')

Right?



This is exactly the kind of thing I was looking for.  I do have a 
question though.

Do the two lines above really test anything?  or were you just showing 
an example of what I might do?

Also, the fact that you wrote the dumbass plugin makes me wonder why 
<%=h user.name =%> is needed?  I get what your doing, but why doesn't 
escaping happen in the form?  Aren't there protections already 
built-in, especially in rails, to escape form fields?

Can you do this same sort of thing for SQL injection problem as well?  Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the rspec-users mailing list