I want to test that the JSON response from a create action is
sanitized properly, but rspec or webrat appears to be parsing the
output into proper HTML chars instead of escaped characters. I have
verified that it escapes properly in the regular browser json
response.

The relevant RSpec test code is:

include ActionView::Helpers::TextHelper
include ActionView::Helpers::UrlHelper

it "should automatically sanitize any HTML or script characters"

do
post :create, :post_id => @post.id,
:content => “

Oh Hai!

”,
:user_id => @user.id,
:format => ‘js’
# get json response
json = JSON.parse(response.body)
json[‘html’].should_not be_nil
json[‘html’].should contain("#{h(‘

Oh Hai!

’)}")
end

How would I go about testing this properly? This is the error showing
what webrat expected versus what it received:

expected the following element's content to include:
"<h1>Oh Hai!</h1><script>"

instead received:
<h1>Oh Hai!</h1><script>

On Apr 19, 2011, at 11:51 AM, iwasrobbed wrote:

it “should automatically sanitize any HTML or script characters”
do
post :create, :post_id => @post.id,
:content => “

Oh Hai!

”,
:user_id => @user.id,
:format => ‘js’
# get json response
json = JSON.parse(response.body)
json[‘html’].should_not be_nil
json[‘html’].should contain(“#{h(‘

Oh Hai!

’)}”)

Do you really mean to have the h() call in there? THAT is escaping the
characters (h is an alias for html_escape).

-Rob

Oh Hai!

---

rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users

Rob B.
[email protected] http://AgileConsultingLLC.com/
[email protected] http://GaslightSoftware.com/