Spec for not allowing user to do the XSS

5cbccda3 · Dorian · 29344522 · 5cbccda3
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -41,6 +41,14 @@ describe ApplicationHelper do
      person_image_link(@person).should include(person_path(@person))
    end
  end
+  
+  describe "#person_image_tag" do
+    it "should not allow basic XSS/HTML" do
+      @person.profile.first_name = "I'm <h1>Evil"
+      @person.profile.last_name = "I'm <h1>Evil"
+      person_image_tag(@person).should_not include("<h1>")
+    end
+  end

  describe "markdownify" do
    describe "autolinks" do