fix js bug, add spec

2011-01-19 16:57:29 -08:00 · 2011-01-19 16:57:29 -08:00 · a5b4dd2604
commit a5b4dd2604
parent cd92b1dccb
2 changed files with 12 additions and 2 deletions
--- a/app/views/shared/_public_explain.haml
+++ b/app/views/shared/_public_explain.haml
@ -11,7 +11,7 @@
    %br

    - if current_user.services
-      - for service in current_user.services 
+      - for service in current_user.services
        = t('.logged_in', :service => service.provider)
        %br

@ -19,4 +19,4 @@

    %br
    %br
-    = link_to t('ok'), '#', :class => "button", :onClick => '$.fancybox.close();'
+    = link_to t('ok'), '#', :class => "button", :onClick => '$.facebox.close();'
--- a/spec/controllers/people_controller_spec.rb
+++ b/spec/controllers/people_controller_spec.rb
@ -152,6 +152,16 @@ describe PeopleController do
      response.should be_success
    end

+    it 'does not allow xss attacks' do
+      user2 = bob
+      profile = user2.profile
+      profile.first_name = "<script> alert('xss attack');</script>"
+      profile.save
+      get :show, :id => user2.person.id
+      response.should be_success
+      response.body.match(profile.first_name).should be_false
+    end
+
    it "renders the show page of a non-contact" do
      user2 = eve
      get :show, :id => user2.person.id