Module: MuckModelMacros

Defined in:
lib/test/shoulda_macros/models.rb

Instance Method Summary collapse

Instance Method Details

#should_accept_nested_attributes_for(*attr_names) ⇒ Object 



34
35
36
37
38
39
40
41
42
43
44
45
 
# File 'lib/test/shoulda_macros/models.rb', line 34

def should_accept_nested_attributes_for(*attr_names)
  klass = self.name.gsub(/Test$/, '').constantize
 
  context "#{klass}" do
    attr_names.each do |association_name|
      should "accept nested attrs for #{association_name}" do
        assert  klass.instance_methods.include?("#{association_name}_attributes="),
                "#{klass} does not accept nested attributes for #{association_name}"
      end
    end
  end
end

#should_sanitize(*attributes) ⇒ Object 



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/test/shoulda_macros/models.rb', line 3

def should_sanitize(*attributes)
  bad_scripts = [
    %|';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>|,
    %|'';!--"<XSS>=&{()}|,
    %|<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>|,
    %|<IMG SRC="javascript:alert('XSS');">|,
    %|<IMG SRC=javascript:alert('XSS')>|,
    %|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
    %|<IMG SRC=JaVaScRiPt:alert('XSS')>|,
    %|<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>|,
    %|<IMG """><SCRIPT>alert("XSS")</SCRIPT>">|,
    %|<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>|,
    %|<A HREF="h
    tt	p://6&#9;6.000146.0x7.147/">XSS</A>|,
    %|<script>alert('message');</script>| ]
    
  klass = self.name.gsub(/Test$/, '').constantize
  attributes.each do |attribute|
    attribute = attribute.to_sym
    should "white list #{attribute}" do
      assert object = klass.find(:first), "Can't find first #{klass}"
      bad_scripts.each do |bad_value|
        object.send("#{attribute}=", bad_value)
        object.save
        clean_value = object.send("#{attribute}")
        assert !clean_value.include?(bad_value), "#{attribute} is not white listed. #{bad_value} made it through"
      end
    end
  end
end