[rspec-users] Testing for cross site scripting, etc.

Moses Hohman moses.hohman at gmail.com
Wed Jun 20 11:19:30 EDT 2007


We wrote a custom rspec matcher for this, example:

response.should contain_escaped("<u>user name</u>")

The custom matcher first checks that the escaped text appears in the page
(so you know you're actually checking for something that is really there)
and then checks that the unescaped text does not appear in the page. It also
makes sure that the text you've provided actually contains something that
can be escaped in it, again failing on bogus examples. I'd be happy to
release it somehow. Failing that here's the code for it:

module CDD
  module CustomRspecMatchers
    class ContainEscaped
      include ERB::Util
      attr_reader :failure_message

      def initialize(unescaped)
        @unescaped = unescaped
        @escaped = html_escape(@unescaped)
      end

      def matches?(response)
        if @escaped == @unescaped
          @failure_message = "no HTML in \"#{@unescaped}\""
          return false
        elsif response.body =~ %r(#{Regexp.escape(@unescaped)})
          @failure_message = "unescaped \"#{@unescaped}\" found in page"
          return false
        elsif response.body !~ %r(#{Regexp.escape(@escaped)})
          @failure_message = "escaped \"#{@unescaped}\" not found in page"
          return false
        else
          return true
        end
      end

      def negative_failure_message
        raise "you can't use should_not with the contain_escaped matcher"
      end
    end

    def contain_escaped(unescaped)
      ContainEscaped.new(unescaped)
    end
  end
end

That's just sitting inside spec_helper.rb, and then of course we include
CDD::CustomRspecMatchers (I guess that should be CustomRSpecMatchers) inside
the Spec::Runner.configure do block. Any improvement suggestions welcome.

CDD is the name of our company (www.collaborativedrug.com), in case that
wasn't clear.

Moses

On 6/19/07, Courtenay <court3nay at gmail.com> wrote:
>
> On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> > > On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > > > Being new to testing and ruby, are there "standard" tests that can
> be
> > > > done that test for things like cross site scripting and friends?
> > > >
> > >
> > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting(XSS)
> > >
> > > XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> > > sure how you think RSpec is relevant. Unless you want to use Watir or
> > > Selenium-RC, which allows you to talk to a browser from Ruby (and
> > > RSpec)
> >
> > I'd say they want to assert, in the views, that user-generated input
> > does not render script tags.
> >
> > Like if I set my user info to be <script>alert('cookie!');</script> it
> > should appear in the view as &lt;script&gt;alert and so on.
> >
> > Maybe in the view spec
> >
> >   @user.stub!(:info).and_return('<script>foo</script>')
> >   response.should not_have_tag('script')
> >
> > Do the two lines above really test anything?  or were you just showing
> > an example of what I might do?
>
> They're an approximate example.  Your code will look slightly different.
>
> > Also, the fact that you wrote the dumbass plugin makes me wonder why
> > <%=h user.name =%> is needed?  I get what your doing, but why doesn't
> > escaping happen in the form?  Aren't there protections already
> > built-in, especially in rails, to escape form fields?
>
> That's what <%=h is.  Html escaping.  It's easy to forget.  Note there
> is no trailing =
>
> > Can you do this same sort of thing for SQL injection problem as
> well?  Mike B.
>
> Rails has inbuilt injection safety, provided you follow the suggested
> practise. I suggest you read up on it before we revoke your rails
> license: http://manuals.rubyonrails.com/read/chapter/40 :)
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/rspec-users/attachments/20070620/9946d971/attachment-0001.html 


More information about the rspec-users mailing list