end
# check error when a non-existent node is included
- get :nodes, :params => { :nodes => "#{node1.id},#{node2.id},#{node3.id},#{node4.id},#{node5.id},400" }
+ get :nodes, :params => { :nodes => "#{node1.id},#{node2.id},#{node3.id},#{node4.id},#{node5.id},0" }
assert_response :not_found
end
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
- content "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
+ content "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" \
+ '<tag k="#{@user.inspect}" v="0"/>' \
"</node></osm>"
put :create
assert_require_public_data "Shouldn't be able to create with non-public user"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
- content "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
+ content "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" \
+ '<tag k="#{@user.inspect}" v="0"/>' \
"</node></osm>"
put :create
assert_response :success