Blame SOURCES/rubygem-actionview-4.2.7.1-CVE-2016-6316-attribute-xss-tests.patch
|
|
e78d6c |
diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
|
|
|
e78d6c |
index ce89d57..8332dd0 100644
|
|
|
e78d6c |
--- a/actionview/test/template/tag_helper_test.rb
|
|
|
e78d6c |
+++ b/actionview/test/template/tag_helper_test.rb
|
|
|
e78d6c |
@@ -140,6 +140,16 @@ def test_tag_honors_html_safe_with_escaped_array_class
|
|
|
e78d6c |
assert_equal '', str
|
|
|
e78d6c |
end
|
|
|
e78d6c |
|
|
|
e78d6c |
+ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
|
|
|
e78d6c |
+ assert_dom_equal 'content ',
|
|
|
e78d6c |
+ content_tag('p', "content", title: '"'.html_safe)
|
|
|
e78d6c |
+ end
|
|
|
e78d6c |
+
|
|
|
e78d6c |
+ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
|
|
|
e78d6c |
+ assert_dom_equal 'content ',
|
|
|
e78d6c |
+ content_tag('p', "content", data: { title: '"'.html_safe })
|
|
|
e78d6c |
+ end
|
|
|
e78d6c |
+
|
|
|
e78d6c |
def test_skip_invalid_escaped_attributes
|
|
|
e78d6c |
['&1;', 'dfa3;', '& #123;'].each do |escaped|
|
|
|
e78d6c |
assert_equal %(), tag('a', :href => escaped)
|