Move 'XSS via name parameter' to mobile conversation specs

because the desktop view doesn't use the name parameter anymore
2016-11-13 15:22:03 +01:00 · 2016-11-13 15:22:03 +01:00 · 9cbadec659
commit 9cbadec659
parent 2b6465ef25
1 changed files with 9 additions and 9 deletions
--- a/spec/controllers/conversations_controller_spec.rb
+++ b/spec/controllers/conversations_controller_spec.rb
@ -17,7 +17,7 @@ describe ConversationsController, :type => :controller do
  end

  describe "#new modal" do
-    context "desktop and mobile" do
+    context "desktop" do
      it "succeeds" do
        get :new, modal: true
        expect(response).to be_success
@ -32,14 +32,6 @@ describe ConversationsController, :type => :controller do
        get :new, aspect_id: alice.aspects.first.id, modal: true
        expect(controller.gon.conversation_prefill).to eq(alice.aspects.first.contacts.map {|c| c.person.as_json })
      end
-
-      it "does not allow XSS via the name parameter" do
-        ["</script><script>alert(1);</script>",
-         '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
-          get :new, modal: true, name: xss
-          expect(response.body).not_to include xss
-        end
-      end
    end

    context "mobile" do
@ -58,6 +50,14 @@ describe ConversationsController, :type => :controller do
        expect(assigns(:contacts_json)).not_to include(alice.contacts.where(receiving: false).first.person.name)
      end

+      it "does not allow XSS via the name parameter" do
+        ["</script><script>alert(1);</script>",
+         '"}]});alert(1);(function f() {var foo = [{b:"'].each do |xss|
+          get :new, modal: true, name: xss
+          expect(response.body).not_to include xss
+        end
+      end
+
      it "does not allow XSS via the profile name" do
        xss     = "<script>alert(0);</script>"
        contact = alice.contacts.first