engine/spec/controllers/admin/api_contents_controller_spec.rb

require 'spec_helper'

describe Admin::ApiContentsController do

  before(:each) do
    @site = FactoryGirl.create('existing site')
    @site.content_types.first.tap do |content_type|
      content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true
      content_type.content_custom_fields.build :label => 'Description', :kind => 'text'
      content_type.content_custom_fields.build :label => 'File', :kind => 'file'
      content_type.content_custom_fields.build :label => 'Active', :kind => 'boolean'
    end.save

    controller.stubs(:require_site).returns(true)
    controller.stubs(:current_site).returns(@site)
  end

  describe 'API disabled' do

    it 'blocks the creation of a new instance' do
      post 'create', default_post_params

      response.code.should eq('403')
      response.body.should == 'Api not enabled'
    end

  end

  describe 'API enabled' do

    before(:each) do
      ContentType.any_instance.stubs(:api_enabled?).returns(true)
    end

    it 'saves a content' do
      post 'create', default_post_params

      response.should redirect_to('http://www.locomotivecms.com/success')

      @site.reload.content_types.first.contents.size.should == 1
    end

    it 'does not save a content if required parameters are missing' do
      post 'create', default_post_params(:content => { :name => '' })

      response.should redirect_to('http://www.locomotivecms.com/failure')

      @site.reload.content_types.first.contents.size.should == 0
    end

    describe 'XSS vulnerability' do

      it 'sanitizes the params (simple example)' do
        post 'create', default_post_params(:content => { :name => %(Hacking <script type="text/javascript">alert("You have been hacked")</script>) })

        content = @site.reload.content_types.first.contents.first

        content.name.should == "Hacking alert(\"You have been hacked\")"
      end

      it 'sanitizes the params (more complex example)' do
        post 'create', default_post_params(:content => { :name => %(<img src=javascript:alert('Hello')><table background="javascript:alert('Hello')">Hacked) })

        content = @site.reload.content_types.first.contents.first

        content.name.should == "Hacked"
      end

      it 'does not sanitize non string params' do
        lambda {
          post 'create', default_post_params(:content => {
            :active => true,
            :file => ActionDispatch::Http::UploadedFile.new(:tempfile => FixturedAsset.open('5k.png'), :filename => '5k.png', :content_type => 'image/png')
          })
        }.should_not raise_exception
      end

    end

  end

  def default_post_params(options = {})
    {
      :slug => 'projects',
      :content => { :name => 'LocomotiveCMS', :description => 'Lorem ipsum' }.merge(options.delete(:content) || {}),
      :success_callback => 'http://www.locomotivecms.com/success',
      :error_callback => 'http://www.locomotivecms.com/failure'
    }.merge(options)
  end

end
fix xss vulnerability issue (#170) 2011-08-18 14:06:34 +00:00			`require 'spec_helper'`

			`describe Admin::ApiContentsController do`

			`before(:each) do`
Ruby MRI 1.9.3 Compatability Fixes 2011-08-25 21:28:56 +00:00			`@site = FactoryGirl.create('existing site')`
fix xss vulnerability issue (#170) 2011-08-18 14:06:34 +00:00			`@site.content_types.first.tap do \|content_type\|`
			`content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true`
			`content_type.content_custom_fields.build :label => 'Description', :kind => 'text'`
fix issue #201 2011-09-14 09:32:14 +00:00			`content_type.content_custom_fields.build :label => 'File', :kind => 'file'`
			`content_type.content_custom_fields.build :label => 'Active', :kind => 'boolean'`
fix xss vulnerability issue (#170) 2011-08-18 14:06:34 +00:00			`end.save`

			`controller.stubs(:require_site).returns(true)`
			`controller.stubs(:current_site).returns(@site)`
			`end`

			`describe 'API disabled' do`

			`it 'blocks the creation of a new instance' do`
			`post 'create', default_post_params`

			`response.code.should eq('403')`
			`response.body.should == 'Api not enabled'`
			`end`

			`end`

			`describe 'API enabled' do`

			`before(:each) do`
			`ContentType.any_instance.stubs(:api_enabled?).returns(true)`
			`end`

			`it 'saves a content' do`
			`post 'create', default_post_params`

			`response.should redirect_to('http://www.locomotivecms.com/success')`

			`@site.reload.content_types.first.contents.size.should == 1`
			`end`

			`it 'does not save a content if required parameters are missing' do`
			`post 'create', default_post_params(:content => { :name => '' })`

			`response.should redirect_to('http://www.locomotivecms.com/failure')`

			`@site.reload.content_types.first.contents.size.should == 0`
			`end`

			`describe 'XSS vulnerability' do`

			`it 'sanitizes the params (simple example)' do`
			`post 'create', default_post_params(:content => { :name => %(Hacking <script type="text/javascript">alert("You have been hacked")</script>) })`

			`content = @site.reload.content_types.first.contents.first`

			`content.name.should == "Hacking alert(\"You have been hacked\")"`
			`end`

			`it 'sanitizes the params (more complex example)' do`
			`post 'create', default_post_params(:content => { :name => %(<img src=javascript:alert('Hello')><table background="javascript:alert('Hello')">Hacked) })`

			`content = @site.reload.content_types.first.contents.first`

			`content.name.should == "Hacked"`
			`end`

fix issue #201 2011-09-14 09:32:14 +00:00			`it 'does not sanitize non string params' do`
			`lambda {`
			`post 'create', default_post_params(:content => {`
			`:active => true,`
			`:file => ActionDispatch::Http::UploadedFile.new(:tempfile => FixturedAsset.open('5k.png'), :filename => '5k.png', :content_type => 'image/png')`
			`})`
			`}.should_not raise_exception`
			`end`

fix xss vulnerability issue (#170) 2011-08-18 14:06:34 +00:00			`end`

			`end`

			`def default_post_params(options = {})`
			`{`
			`:slug => 'projects',`
			`:content => { :name => 'LocomotiveCMS', :description => 'Lorem ipsum' }.merge(options.delete(:content) \|\| {}),`
			`:success_callback => 'http://www.locomotivecms.com/success',`
			`:error_callback => 'http://www.locomotivecms.com/failure'`
			`}.merge(options)`
			`end`

			`end`