[rspec-users] Testing for cross site scripting, etc.
Moses Hohman
moses.hohman at gmail.com
Wed Jun 20 11:19:30 EDT 2007
We wrote a custom rspec matcher for this, example:
response.should contain_escaped("<u>user name</u>")
The custom matcher first checks that the escaped text appears in the page
(so you know you're actually checking for something that is really there)
and then checks that the unescaped text does not appear in the page. It also
makes sure that the text you've provided actually contains something that
can be escaped in it, again failing on bogus examples. I'd be happy to
release it somehow. Failing that here's the code for it:
module CDD
module CustomRspecMatchers
class ContainEscaped
include ERB::Util
attr_reader :failure_message
def initialize(unescaped)
@unescaped = unescaped
@escaped = html_escape(@unescaped)
end
def matches?(response)
if @escaped == @unescaped
@failure_message = "no HTML in \"#{@unescaped}\""
return false
elsif response.body =~ %r(#{Regexp.escape(@unescaped)})
@failure_message = "unescaped \"#{@unescaped}\" found in page"
return false
elsif response.body !~ %r(#{Regexp.escape(@escaped)})
@failure_message = "escaped \"#{@unescaped}\" not found in page"
return false
else
return true
end
end
def negative_failure_message
raise "you can't use should_not with the contain_escaped matcher"
end
end
def contain_escaped(unescaped)
ContainEscaped.new(unescaped)
end
end
end
That's just sitting inside spec_helper.rb, and then of course we include
CDD::CustomRspecMatchers (I guess that should be CustomRSpecMatchers) inside
the Spec::Runner.configure do block. Any improvement suggestions welcome.
CDD is the name of our company (www.collaborativedrug.com), in case that
wasn't clear.
Moses
On 6/19/07, Courtenay <court3nay at gmail.com> wrote:
>
> On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> > > On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > > > Being new to testing and ruby, are there "standard" tests that can
> be
> > > > done that test for things like cross site scripting and friends?
> > > >
> > >
> > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting(XSS)
> > >
> > > XSS happens *in* the browser, where Ruby doesn't run (yet), so I'm not
> > > sure how you think RSpec is relevant. Unless you want to use Watir or
> > > Selenium-RC, which allows you to talk to a browser from Ruby (and
> > > RSpec)
> >
> > I'd say they want to assert, in the views, that user-generated input
> > does not render script tags.
> >
> > Like if I set my user info to be <script>alert('cookie!');</script> it
> > should appear in the view as <script>alert and so on.
> >
> > Maybe in the view spec
> >
> > @user.stub!(:info).and_return('<script>foo</script>')
> > response.should not_have_tag('script')
> >
> > Do the two lines above really test anything? or were you just showing
> > an example of what I might do?
>
> They're an approximate example. Your code will look slightly different.
>
> > Also, the fact that you wrote the dumbass plugin makes me wonder why
> > <%=h user.name =%> is needed? I get what your doing, but why doesn't
> > escaping happen in the form? Aren't there protections already
> > built-in, especially in rails, to escape form fields?
>
> That's what <%=h is. Html escaping. It's easy to forget. Note there
> is no trailing =
>
> > Can you do this same sort of thing for SQL injection problem as
> well? Mike B.
>
> Rails has inbuilt injection safety, provided you follow the suggested
> practise. I suggest you read up on it before we revoke your rails
> license: http://manuals.rubyonrails.com/read/chapter/40 :)
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/rspec-users/attachments/20070620/9946d971/attachment-0001.html
More information about the rspec-users
mailing list