correct poll specs

2024-11-23 01:16:38 -06:00 · 2017-07-18 14:31:22 -04:00 · 2017-07-18 14:31:22 -04:00 · 93e5112dfa
commit 93e5112dfa
parent 7c7f22565c
3 changed files with 17 additions and 16 deletions
--- a/plugins/poll/plugin.rb
+++ b/plugins/poll/plugin.rb
@ -157,14 +157,14 @@ after_initialize do
          # extract attributes
          p.attributes.values.each do |attribute|
            if attribute.name.start_with?(DATA_PREFIX)
-              poll[attribute.name[DATA_PREFIX.length..-1]] = attribute.value
+              poll[attribute.name[DATA_PREFIX.length..-1]] = CGI::escapeHTML(attribute.value || "")
            end
          end

          # extract options
          p.css("li[#{DATA_PREFIX}option-id]").each do |o|
-            option_id = o.attributes[DATA_PREFIX + "option-id"].value
-            poll["options"] << { "id" => option_id, "html" => o.inner_html, "votes" => 0 }
+            option_id = CGI::escapeHTML(o.attributes[DATA_PREFIX + "option-id"].value || "")
+            poll["options"] << { "id" => option_id, "html" => CGI::escapeHTML(o.inner_html), "votes" => 0 }
          end

          # add the poll
@ -260,7 +260,7 @@ after_initialize do

        result = []

-        users = User.where(id: user_ids).map do |user|
+        User.where(id: user_ids).map do |user|
          result << UserNameSerializer.new(user).serializable_hash
        end
      end
--- a/plugins/poll/spec/controllers/posts_controller_spec.rb
+++ b/plugins/poll/spec/controllers/posts_controller_spec.rb
@ -29,23 +29,23 @@ describe PostsController do
    end

    it "should have different options" do
-      xhr :post, :create, { title: title, raw: "[poll]\n- A\n- A[/poll]" }
+      xhr :post, :create, { title: title, raw: "[poll]\n- A\n- A\n[/poll]" }
      expect(response).not_to be_success
      json = ::JSON.parse(response.body)
      expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_must_have_different_options"))
    end

    it "should have at least 2 options" do
-      xhr :post, :create, { title: title, raw: "[poll]\n- A[/poll]" }
+      xhr :post, :create, { title: title, raw: "[poll]\n- A\n[/poll]" }
      expect(response).not_to be_success
      json = ::JSON.parse(response.body)
      expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_must_have_at_least_2_options"))
    end

    it "should have at most 'SiteSetting.poll_maximum_options' options" do
-      raw = "[poll]"
+      raw = "[poll]\n"
      (SiteSetting.poll_maximum_options + 1).times { |n| raw << "\n- #{n}" }
-      raw << "[/poll]"
+      raw << "\n[/poll]"

      xhr :post, :create, { title: title, raw: raw }

@ -55,7 +55,7 @@ describe PostsController do
    end

    it "should have valid parameters" do
-      xhr :post, :create, { title: title, raw: "[poll type=multiple min=5]\n- A\n- B[/poll]" }
+      xhr :post, :create, { title: title, raw: "[poll type=multiple min=5]\n- A\n- B\n[/poll]" }
      expect(response).not_to be_success
      json = ::JSON.parse(response.body)
      expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_with_multiple_choices_has_invalid_parameters"))
@ -66,7 +66,8 @@ describe PostsController do
      expect(response).to be_success
      json = ::JSON.parse(response.body)
      expect(json["cooked"]).to match("data-poll-")
-      expect(json["polls"]["&lt;script&gt;alert(xss)&lt;/script&gt;"]).to be
+      expect(json["cooked"]).to include("&lt;script&gt;")
+      expect(json["polls"]["&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"]).to be
    end

    it "also works whe there is a link starting with '[poll'" do
@ -116,9 +117,9 @@ describe PostsController do

      describe "after the poll edit window has expired" do

-        let(:poll) { "[poll]\n- A\n- B[/poll]" }
-        let(:new_option) { "[poll]\n- A\n- C[/poll]" }
-        let(:updated) { "before\n\n[poll]\n- A\n- B[/poll]\n\nafter" }
+        let(:poll) { "[poll]\n- A\n- B\n[/poll]" }
+        let(:new_option) { "[poll]\n- A\n- C\n[/poll]" }
+        let(:updated) { "before\n\n[poll]\n- A\n- B\n[/poll]\n\nafter" }

        let(:post_id) do
          Timecop.freeze(6.minutes.ago) do
@ -220,14 +221,14 @@ describe PostsController do
  describe "named polls" do

    it "should have different options" do
-      xhr :post, :create, { title: title, raw: "[poll name=""foo""]\n- A\n- A[/poll]" }
+      xhr :post, :create, { title: title, raw: "[poll name=""foo""]\n- A\n- A\n[/poll]" }
      expect(response).not_to be_success
      json = ::JSON.parse(response.body)
      expect(json["errors"][0]).to eq(I18n.t("poll.named_poll_must_have_different_options", name: "foo"))
    end

    it "should have at least 2 options" do
-      xhr :post, :create, { title: title, raw: "[poll name='foo']\n- A[/poll]" }
+      xhr :post, :create, { title: title, raw: "[poll name='foo']\n- A\n[/poll]" }
      expect(response).not_to be_success
      json = ::JSON.parse(response.body)
      expect(json["errors"][0]).to eq(I18n.t("poll.named_poll_must_have_at_least_2_options", name: "foo"))
--- a/plugins/poll/spec/integration/poll_endpoints_spec.rb
+++ b/plugins/poll/spec/integration/poll_endpoints_spec.rb
@ -89,7 +89,7 @@ describe "DiscoursePoll endpoints" do
    end

    context "number poll" do
-      let(:post) { Fabricate(:post, raw: '[poll type=number min=1 max=20 step=1 public=true][/poll]') }
+      let(:post) { Fabricate(:post, raw: "[poll type=number min=1 max=20 step=1 public=true]\n[/poll]") }

      it 'should return the right response' do
        post