From 6e68bf8ab4a06d4bc8eadda7d9bcbd8cf23476b5 2011-11-02 07:41:12
From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: 2011-11-02 07:41:12
Subject: [PATCH] merge r7707 from trunk

add unit test of escaping image urls

Contributed by Holger Just.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/1.2-stable@7709 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 9b7d622..89e3622 100644
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -197,6 +197,13 @@ EXPECTED
     assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
   end
 
+  def test_textile_should_escape_image_urls
+    # this is onclick="alert('XSS');" in encoded form
+    raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
+    expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
+    assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+  end
+
   private
 
   def assert_html_output(to_test, expect_paragraph = true)