Add a StoryRepository test for title-based XSS

isaiasmatewos · Nov 1, 2018 · 209d58d · 209d58d
1 parent c8c9144
commit 209d58d
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/spec/repositories/story_repository_spec.rb b/spec/repositories/story_repository_spec.rb
@@ -16,14 +16,23 @@
       StoryRepository.add(entry, feed)
     end
 
-    it "sanitizes titles" do
+    it "deletes line and paragraph separator characters from titles" do
       entry = double(title: "n\u2028\u2029", content: "").as_null_object
       allow(StoryRepository).to receive(:normalize_url)
 
       expect(Story).to receive(:create).with(hash_including(title: "n"))
 
       StoryRepository.add(entry, feed)
     end
+
+    it "deletes script tags from titles" do
+      entry = double(title: "n<script>alert('xss');</script>", content: "").as_null_object
+      allow(StoryRepository).to receive(:normalize_url)
+
+      expect(Story).to receive(:create).with(hash_including(title: "n"))
+
+      StoryRepository.add(entry, feed)
+    end
   end
 
   describe ".extract_url" do