end
def test_create_invalid_xml
- ## Only test public user here, as test_create should cover what's the forbiddens
+ ## Only test public user here, as test_create should cover what's the forbidden
## that would occur here
user = create(:user)
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
xml = "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" \
- '<tag k="#{@user.inspect}" v="0"/>' \
+ "<tag k='\#{@user.inspect}' v='0'/>" \
"</node></osm>"
put node_create_path, :params => xml, :headers => auth_header
assert_require_public_data "Shouldn't be able to create with non-public user"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" \
- '<tag k="#{@user.inspect}" v="0"/>' \
+ "<tag k='\#{@user.inspect}' v='0'/>" \
"</node></osm>"
put node_create_path, :params => xml, :headers => auth_header
assert_response :success