tommeier · February 16, 2011 03:30
diff --git a/Chase_down_html_escape_issues.rb b/Chase_down_html_escape_issues.rb
 #Changing an existing (MASSIVE) app from old school rails 2.3.5 land to > 2.3.8 (switching it to 2.3.11) with things like rails_xss can be a nightmare. Mainly because *EVERYTHING* is suddenly html escaped.

 #To quickly find EVERY incidence of html escaping where you don't want it, on your views edit your test framework that browses the site

 #In this example, the test framework was Webrat, so i (bundle open webrat) found the root method for loading a page response, and scanned the response.body for harmful display items. This will then load the page and print during the tests. In webrat the file is session.rb and "def request_page(url, http_method, data)" is the root method. Webrat 0.7.3


 def request_page(url, http_method, data) #:nodoc:
    h = headers
    h['HTTP_REFERER'] = @current_url if @current_url
    debug_log "REQUESTING PAGE: #{http_method.to_s.upcase} #{url} with #{data.inspect} and HTTP headers #{h.inspect}"

    process_request(http_method, url, data, h)

    save_and_open_page if exception_caught? && Webrat.configuration.open_error_files?
    raise PageLoadError.new("Page load was not successful (Code: #{response_code.inspect}):\n#{formatted_error}") unless success_code?

    reset

    @current_url  = url
    @http_method  = http_method
    @data         = data

    if internal_redirect?
      check_for_infinite_redirects
      request_page(response_location, :get, {})
    end


    #   Some Random Bit of text &amp; with ampersand and it will be html encode
    # &lt;p&gt; Some text found in an unencoded p tag&lt;/p&gt;
    # &lt;a href=someother_location.html&gt; Some text found in an encoded link&lt;/a&gt;

    escaped_characters  = response.body.to_s.scan(/(\&amp\;ndash\;)/)#(/(\&amp\;|\&lt\;|\&gt\;)/)
    escaped_tags        = response.body.to_s.scan(/^.*\&lt.*\&gt;/m)

    if escaped_tags.present? || escaped_characters.present?
      puts "*" * 100
      puts "*" * 100
      puts "ESCAPED TAGS FOUND : #{escaped_tags.size}" if escaped_tags.present? #Multiline results in whole body being printed
      puts "ESCAPED CHARACTERS FOUND : #{escaped_characters.inspect}" if escaped_characters.present?
      puts "*" * 100
      puts "*" * 100
      puts response.body
      save_and_open_page
      puts "*" * 100
      puts "*" * 100
    end



    return response
 end
	#Changing an existing (MASSIVE) app from old school rails 2.3.5 land to > 2.3.8 (switching it to 2.3.11) with things like rails_xss can be a nightmare. Mainly because EVERYTHING is suddenly html escaped.

	#To quickly find EVERY incidence of html escaping where you don't want it, on your views edit your test framework that browses the site

	#In this example, the test framework was Webrat, so i (bundle open webrat) found the root method for loading a page response, and scanned the response.body for harmful display items. This will then load the page and print during the tests. In webrat the file is session.rb and "def request_page(url, http_method, data)" is the root method. Webrat 0.7.3


	def request_page(url, http_method, data) #:nodoc:
	h = headers
	h['HTTP_REFERER'] = @current_url if @current_url
	debug_log "REQUESTING PAGE: #{http_method.to_s.upcase} #{url} with #{data.inspect} and HTTP headers #{h.inspect}"

	process_request(http_method, url, data, h)

	save_and_open_page if exception_caught? && Webrat.configuration.open_error_files?
	raise PageLoadError.new("Page load was not successful (Code: #{response_code.inspect}):\n#{formatted_error}") unless success_code?

	reset

	@current_url = url
	@http_method = http_method
	@data = data

	if internal_redirect?
	check_for_infinite_redirects
	request_page(response_location, :get, {})
	end


	# Some Random Bit of text & with ampersand and it will be html encode
	# <p> Some text found in an unencoded p tag</p>
	# <a href=someother_location.html> Some text found in an encoded link</a>

	escaped_characters = response.body.to_s.scan(/(\&amp\;ndash\;)/)#(/(\&amp\;\|\&lt\;\|\&gt\;)/)
	escaped_tags = response.body.to_s.scan(/^.\&lt.\>/m)

	if escaped_tags.present? \|\| escaped_characters.present?
	puts "" 100
	puts "" 100
	puts "ESCAPED TAGS FOUND : #{escaped_tags.size}" if escaped_tags.present? #Multiline results in whole body being printed
	puts "ESCAPED CHARACTERS FOUND : #{escaped_characters.inspect}" if escaped_characters.present?
	puts "" 100
	puts "" 100
	puts response.body
	save_and_open_page
	puts "" 100
	puts "" 100
	end



	return response
	end