[rspec-users] Testing for cross site scripting, etc.
court3nay at gmail.com
Tue Jun 19 18:14:34 EDT 2007
On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> > On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > > Being new to testing and ruby, are there "standard" tests that can be
> > > done that test for things like cross site scripting and friends?
> > >
> > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS)
> > XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> > sure how you think RSpec is relevant. Unless you want to use Watir or
> > Selenium-RC, which allows you to talk to a browser from Ruby (and
> > RSpec)
> I'd say they want to assert, in the views, that user-generated input
> does not render script tags.
> Like if I set my user info to be <script>alert('cookie!');</script> it
> should appear in the view as <script>alert and so on.
> Maybe in the view spec
> response.should not_have_tag('script')
> Do the two lines above really test anything? or were you just showing
> an example of what I might do?
They're an approximate example. Your code will look slightly different.
> Also, the fact that you wrote the dumbass plugin makes me wonder why
> <%=h user.name =%> is needed? I get what your doing, but why doesn't
> escaping happen in the form? Aren't there protections already
> built-in, especially in rails, to escape form fields?
That's what <%=h is. Html escaping. It's easy to forget. Note there
is no trailing =
> Can you do this same sort of thing for SQL injection problem as well? Mike B.
Rails has inbuilt injection safety, provided you follow the suggested
practise. I suggest you read up on it before we revoke your rails
license: http://manuals.rubyonrails.com/read/chapter/40 :)
More information about the rspec-users