unit test for issue #20

apostrophecms · Jul 18, 2014 · ef163ce · ef163ce
1 parent f7aa27c
commit ef163ce
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/test/test.js b/test/test.js
@@ -204,5 +204,19 @@ describe('sanitizeHtml', function() {
       ''
     );
   });
+  it('should not allow a naked = sign followed by an unrelated attribute to result in one merged attribute with unescaped double quote marks', function() {
+    assert.equal(
+      sanitizeHtml(
+        '<IMG SRC= onmouseover="alert(\'XSS\');">',
+        {
+          allowedTags: [ 'img' ],
+          allowedAttributes: {
+            img: [ 'src' ]
+          }
+        }
+      ),
+      '<img src="" />'
+    );
+  });
 });