rspec users - Apr 2011 - RSpec/Webrat Checking output is properly escaped

I want to test that the JSON response from a create action is
sanitized properly, but rspec or webrat appears to be parsing the
output into proper HTML chars instead of escaped characters.  I have
verified that it escapes properly in the regular browser json
response.

The relevant RSpec test code is:

    include ActionView::Helpers::TextHelper
    include ActionView::Helpers::UrlHelper

    it "should automatically sanitize any HTML or script characters"
do
      post :create, :post_id => @post.id,
                    :content => "<h1>Oh
Hai!</h1><script>",
                    :user_id => @user.id,
                    :format => ''js''
      # get json response
      json = JSON.parse(response.body)
      json[''html''].should_not be_nil
      json[''html''].should
contain("#{h(''<h1>Oh
Hai!</h1><script>'')}")
    end


How would I go about testing this properly?  This is the error showing
what webrat expected versus what it received:

    expected the following element''s content to include:
    "&lt;h1&gt;Oh
Hai!&lt;/h1&gt;&lt;script&gt;"

    instead received:
    <h1>Oh Hai!</h1><script>

On Apr 19, 2011, at 11:51 AM, iwasrobbed wrote:
> I want to test that the JSON response from a create action is
> sanitized properly, but rspec or webrat appears to be parsing the
> output into proper HTML chars instead of escaped characters.  I have
> verified that it escapes properly in the regular browser json
> response.
>
> The relevant RSpec test code is:
>
>    include ActionView::Helpers::TextHelper
>    include ActionView::Helpers::UrlHelper
>
>    it "should automatically sanitize any HTML or script
characters"
> do
>      post :create, :post_id => @post.id,
>                    :content => "<h1>Oh
Hai!</h1><script>",
>                    :user_id => @user.id,
>                    :format => ''js''
>      # get json response
>      json = JSON.parse(response.body)
>      json[''html''].should_not be_nil
>      json[''html''].should
contain("#{h(''<h1>Oh
Hai!</h1><script>'')}")
Do you really mean to have the h() call in there? THAT is escaping the  
characters (h is an alias for html_escape).

-Rob
>    end
>
>
> How would I go about testing this properly?  This is the error showing
> what webrat expected versus what it received:
>
>    expected the following element''s content to include:
>    "&lt;h1&gt;Oh
Hai!&lt;/h1&gt;&lt;script&gt;"
>
>    instead received:
>    <h1>Oh Hai!</h1><script>
>
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
Rob Biedenharn		
Rob at AgileConsultingLLC.com	http://AgileConsultingLLC.com/
rab at GaslightSoftware.com		http://GaslightSoftware.com/