diff --git a/test/unit/page_renderer_test.rb b/test/unit/page_renderer_test.rb
index 7be3c7d1..00354da6 100644
--- a/test/unit/page_renderer_test.rb
+++ b/test/unit/page_renderer_test.rb
@@ -230,6 +230,12 @@ class PageRendererTest < Test::Unit::TestCase
"Do not mark \n up [[this text]] \n" +
"and http://this.url.com but markup [[this]]")
end
+
+ def test_sanitize_nowiki_tag
+ assert_markup_parsed_as(
+ '
[[test]]&shebang <script>alert("xss!");</script> *foo*
',
+ '[[test]]&shebang *foo*')
+ end
def test_content_with_bracketted_wiki_word
set_web_property :brackets_only, true
@@ -369,6 +375,16 @@ class PageRendererTest < Test::Unit::TestCase
assert_equal 'NewPageCategory', references[0].referenced_name
assert_equal WikiReference::CATEGORY, references[0].link_type
end
+
+ def test_references_creation_sanitized_categories
+ new_page = @web.add_page('NewPage', "Foo\ncategory: ",
+ Time.local(2004, 4, 4, 16, 50), 'AlexeyVerkhovsky', test_renderer)
+
+ references = new_page.wiki_references(true)
+ assert_equal 1, references.size
+ assert_equal "<script>alert('XSS');</script>", references[0].referenced_name
+ assert_equal WikiReference::CATEGORY, references[0].link_type
+ end
def test_rendering_included_page_under_different_modes
included = @web.add_page('Included', 'link to HomePage', Time.now, 'AnAuthor', test_renderer)